Five Questions to Ask Yourself this Valentine’s Day This week, people around the world are exchanging cards, heart-shaped candy or flowers with loved ones to celebrate Valentine’s Day. This holiday centers on seeking happiness in relationships and finding love, but just as important, is how we find happiness in our careers and passion for the …

This week, people around the world are exchanging cards, heart-shaped candy or flowers with loved ones to celebrate Valentine’s Day. This holiday centers on seeking happiness in relationships and finding love, but just as important, is how we find happiness in our careers and passion for the jobs we do every day.

Does this relationship fulfill you?

They may not happen every day. Or even every week. But after a project launch, a conversation with a team member or even when you finished a great piece of work your boss loved – do you have those moments of fulfillment and accomplishment? If you can’t recall your last moment, it might be time to think about how to reignite that spark.

At McAfee, rewards and recognition are simply part of who we are and our managers are trained in timely, relevant feedback to help our employees reach their full potential (so you have more of those “I’m killing it!” moments).

In addition, we find a strong sense of purpose serves as a powerful motivator. We’re in the business of keeping the world safe, so no matter what role you’re in, you don’t have to look far to see the impact you’re making. All employees also have the opportunity to contribute to our wider communities through programs like McAfee Explorers (a job-shadowing program designed to inspire the next generation of cybersecurity heroes), McAfee Online Safety Program for Kids (teaching children online safety) and our Global Community Service Day (an all employee volunteer day).

Do you share the same values?

Relationships with misalignment of the things that matters most, are doomed to end in heartbreak. By aligning your values with that of the company’s, you ensure you work both for and with others who share your values.

We’ve worked hard to create five meaningful values to live by. We put the customer at the core. We achieve excellence with speed and agility. We practice inclusive candor and transparency. We play to win or don’t play. We innovate without fear. These five values drive every business decision we make, determine our hiring practices and guide employees on how goals are achieved.

Can you be yourself?

It isn’t true love if you can’t share your true self. Expending energy hiding who you are distracts from what’s important both at home and at work.

We believe everyone has the right to bring their full authentic self to work. As part of our commitment to creating an inclusive and welcoming culture, we invest in fueling diversity of thought and work hard to encourage and celebrate the things that make us different from one another. We know diversity not only makes us better, more understanding and empathetic colleagues, but it also effects the way we think and problem solve, helping to make us the best possible versions of ourselves. Check out how we’re celebrating Black History Month to learn more on how McAfee Communities, our employee-led resource groups, help us all gain a better understanding and appreciation for our differences.

Are you challenged to grow?

Before taking any relationship to the next level, it’s important to know you can grow together, not apart.

Because the learning never stops in an industry that relies on innovation and staying a step ahead of the bad guys, growing your career is built-in at McAfee. Having worked at McAfee for over 10 years and rising to CHRO in my time, I tell my team every day, the same opportunities exist for them too. You just need the passion and drive to get there. And of course whether it’s through career path planning or our tuition reimbursement program, McAfee offers employees everything you need to energize your career and help you reach your goals.

What about the little things?

It may have been love at first sight, but often it’s the little things that help keep the spark alive.

Our employees are at the heart of everything we do and so we work hard to make sure we listen to all those “little things” that truly add up to something amazing. Scooters in 10 offices worldwide? Sure! Or what about joining the 5 percent of companies that offer unlimited vacation in the U.S.? Done! How about a program that lets you bring your dog to work on a Friday: we’ve made it happen with McAfee’s Pups at Work program. Scroll through our Life At McAfee feed for some puppy love!

And on top of this, we offer fruit, spa water, donut Fridays (we can’t be good all the time!) and soda drinks all year round in a majority of our offices. Now, we’re not saying donuts equate to long-lasting love, but think about the small, extra steps your current employer goes to for you and if you get those warm happy feelings at not just the big things, but the little things too.

With an updated curriculum and new cybersecurity career module, McAfee’s Online Safety Program for Kids is set to reach new heights Online safety is an area that now touches nearly everyone – from corporate CEOs and governments to grandparents and children. It’s also why nearly 130 countries come together on Safer Internet Day to raise …

With an updated curriculum and new cybersecurity career module, McAfee’s Online Safety Program for Kids is set to reach new heights

Online safety is an area that now touches nearly everyone – from corporate CEOs and governments to grandparents and children. It’s also why nearly 130 countries come together on Safer Internet Day to raise awareness for and work together to create a safer digital world for all.

This movement, which McAfee proudly serves as an official sponsor of, reminds us that we each share a responsibility to build a better internet, a responsibility which McAfee takes very seriously. Which is why, as part of Safer Internet Day activities this week, we’re announcing the global relaunch of McAfee’s award-winning Online Safety Program for Kids.

This program has long been at the heart of who we are at McAfee. Every year hundreds of McAfee employees donate their time and skills to teach online safety to teachers, parents and children in our communities. And along the way we’ve forged important strategic relationships to scale our reach even further. Take our Bletchley Park partnership in England, where our dedicated Cybersecurity Exhibition Zone was opened by the Duchess of Cambridge, Kate Middleton, back in 2014. This week alone, the site has seen more than 200 students take part in cybersecurity education sessions run by McAfee employees as part of Safer Internet Day.

So how do we improve on Royalty as part of our relaunch you may be asking? The new program includes an expanded curriculum designed by our team of engineers, data scientists, threat researchers and more to cover the latest in emerging threats including social media privacy, cyber ethics, geotargeting and phishing, to name a few.

And in the midst of a global cybersecurity talent shortage (an estimated deficit of two million professionals by 2019), it’s more urgent than ever to inspire the next generation of cybersecurity heroes. So now, our Online Safety Program for Kids includes an education-based module with a greater emphasis on exposure and role modeling. This empowers both young girls and boys to ask questions and learn about a career in data science, threat research or engineering, from our real-world experts who only too familiar with not just the career paths, but the rewards associated with working in cybersecurity.

I’m also pleased to say, that driven by employee demand, McAfee’s annual Global Community Service Day, will place cybersecurity education for children front and center with our more than 7,000 employees worldwide encouraged to share their skills and knowledge within their local communities.

Thank you to McAfee’s employees worldwide who volunteer their time to grow McAfee’s Online Safety Program for Kids and invest in our youth globally. And just looking at our program numbers you can see why I’m in awe and inspired by this amazing team who work hard every day to deliver on our pledge to keep the world safe.

Interested in making a positive difference not only for customers and partners, but for the communities in which we live? Then, join us. Search our jobs. Together, we can make the world a safer place.

This week’s World Economic Forum (WEF) in Davos, Switzerland featured the launch of the World Economic Forum System Initiative on Shaping the Future of Digital Economy and Society, a global platform for coalitions of public and private sector entities to “collaborate and accelerate progress against shared digital economy goals and to shape a digital future …

This week’s World Economic Forum (WEF) in Davos, Switzerland featured the launch of the World Economic Forum System Initiative on Shaping the Future of Digital Economy and Society, a global platform for coalitions of public and private sector entities to “collaborate and accelerate progress against shared digital economy goals and to shape a digital future that is sustainable, inclusive, and trustworthy.”

The Forum has partnered with The Boston Consulting Group to produce a report entitled Cyber Resilience Playbook for Public-Private Collaboration, which contextualizes cybersecurity policies through 14 key areas of potential cooperation between governments and corporations. While countries and cultures must make their own choices on how to address the public-private policy challenges facing us in the years ahead, we at McAfee argue that the government and business leaders meeting in Davos this week must answer critical policy questions in four critical areas to truly have a constructive, positive impact in shaping the evolution of cyberspace in 2018 and beyond.

The Uncertainty of Attribution

Attribution is among the most complex and challenging aspects of cybersecurity, and the implications of getting active defense responses wrong based on faulty attribution are particularly daunting. Government and business leaders must be wary of these dynamics as cyber-attacks inflict greater levels of damage, and as cyber-attack victims demand accountability and retaliation based on such imprecise attribution.

Digital forensic work can suggest a perpetrator behind a cyber-attack, but it rarely does so with certitude. Level-headed attackers will naturally seek to implicate some other party in their handiwork, so false flags and red herrings often litter the cyber-attack scene.

For instance, it could be risky to draw conclusions about a cyber-attack’s origin and perpetrators solely on things such as the presence of Cyrillic, Mandarin, Korean, Arabic, or Persian characters or words within an identified piece of malware. Once such methods of attribution become accepted best practices, attackers undoubtedly seek to manipulate that acceptance to hide their tracks.

This marks a profound difference from nuclear strategy or conventional terrorism, where proven techniques can source an incoming missile or trace a bomb’s origin. Cyberspace can allow a bit player terror group seeking to pit nation-states against one another with cyber aggression that appears to come from those countries.

There is a clear need for both the private and public sectors to understand where they add value. Pinpointing blame for a cyberattack takes a blend of cutting-edge digital forensics from the public and private sector, and traditional intelligence from public sector intelligence service or law enforcement partners.

The Unpredictability of Active Defense—Hacking Back

Offensive cyber weapons can be programmed to focus on an intended target. In some ways, they are the ultimate precision ordinance—at least in theory.

In actuality, active defense or “hacking back” cyber-attacks can have unpredictable consequences due to the complex interconnectedness of the today’s internet, and the ability of attackers to use that dense complexity to cover their tracks.

Even in capable, officially-sanctioned hands, retaliatory strikes can inadvertently, directly or indirectly impact online services, third-party assets, and individuals in addition to their intended targets.

Add to this wild card exercise any software bugs or coding errors within these cyber weapons, and small flaws could have large consequences, as cyber-attacks could go awry, damaging more unintended networks and third-party actors.

The unpredictable dynamics of “hacking back” should place a tremendous priority on the responsible governance and coordination of active defense efforts by public and private entities.

Zero day vulnerabilities

Governments must always recognize that the private sector’s willingness and commitment to cybersecurity collaboration reliant in part on how transparent governments are about knowledge critical to their mission, including disclosures of zero day vulnerability discoveries.

Private sector actors must always recognize that governments have the unique responsibility to balance vulnerability disclosures with the necessity to protect real human lives by any means necessary, including digital cyber-weapons exploiting such vulnerabilities.

Once such software vulnerabilities are discovered and publicly released “into the wild,” technology vendors can take action to address those vulnerabilities with security updates. Public knowledge of these vulnerabilities also provides hackers blueprints for exploiting them through cyber-attacks. If withheld, governments can use their knowledge of the zero day vulnerabilities for cyber-espionage or cyber-warfare campaigns.

While it is reasonable to assume that governments should take an active, responsible role in the research and timely public disclosure of such vulnerabilities, it is also reasonable to assume that governments should “stockpile” their knowledge of zero day vulnerabilities for use in future covert cyber activities.

After all, isn’t there real humanitarian value in using cyber-attacks to digitally disable power plants or other physical military targets without the physical destruction and loss of life caused by a kinetic weapon such as a bomb?

Successful public-private cybersecurity partnerships must involve an ongoing dialogue, and a pragmatic give and take exchange between actors. Only by addressing this and other potential trust issues can governments, technology vendors, and other private sector actors hope to work together to gain a step on the cyber-attackers working furiously to uncover and take advantage of the same vulnerabilities.

Threat intelligence sharing

Ultimately, information is the lifeblood of cyber-defense. It’s not an exaggeration to say that success in the previously mentioned critical areas of public-private cybersecurity collaboration relies heavily on getting policies right in the crucial area of threat research, data, and other intelligence sharing. “Getting it right” requires that policies reflect the limitations as well as the advantages of sharing.

Data collected and shared by governments could be out of date in the minds of cybersecurity industry actors. There will always be concerns that government or industry members of information sharing communities might play “free rider,” benefiting from drawing volumes of other organizations’ data and intelligence, while contributing little information of their own.

Strong processes must enable effective, real-time sharing of the data that matters most to enable coordinated responses to security events, such as the cross-industry response to major developments like the WannaCry and NotPetya malware outbreaks, and the Meltdown and Spectre firmware exploit revelations of earlier this month.

Beyond episodic collaboration, information sharing must seek to achieve real security improvements over the long-term, while strong privacy protections must be in place to maintain the trust of those whom security efforts are meant to protect.

While leaders at Davos and beyond may understand that cybersecurity is one of the greatest digital challenges of our time, it’s even more important that they understand that no one organization, entity or sector can solve it alone. There’s a reason McAfee believes in the “Together is Power” mantra. The solutions to cybersecurity lie in collaboration and innovation, and public-private partnerships present one of the greatest challenges and opportunities facing us.

Like other Internet of Things (IoT) devices, medical equipment is a vulnerable attack surface. By 2018, it’s expected that sales of medical devices will exceed 14 million units—more than five times the sales of 2012.1 Network- and cloud-connected medical devices used in clinical settings—nurse stations, patient monitors, communications, networks, diagnostic devices, testing, scanning systems, blood …

Like other Internet of Things (IoT) devices, medical equipment is a vulnerable attack surface. By 2018, it’s expected that sales of medical devices will exceed 14 million units—more than five times the sales of 2012.1 Network- and cloud-connected medical devices used in clinical settings—nurse stations, patient monitors, communications, networks, diagnostic devices, testing, scanning systems, blood gas analyzers, and more—are just as much at risk as healthcare IT networks, laptops, and tablets.

Medical device manufacturers have a responsibility to secure their devices to prevent breaches and to protect the privacy of patient and healthcare facilities’ data. They must ensure their products conform to strict regulatory compliance mandates dictated by the Health Insurance Portability and Accountability Act (HIPAA) and the requirements for medical devices issued by the US Food and Drug Administration (FDA).

Healthcare information is rich in both financial and personally identifiable data, making it a highly profitable target for cybercriminals. In the black market, a health record can fetch as much as $60, compared to $15 for a Social Security number.2 It’s estimated that approximately 100 million healthcare records were compromised just in the first quarter of 2015.3 A recent study reveals that the average cost of a healthcare breach in 2016 was $4 million per incident—up 29% since 2013.4

Let’s take a look at the trajectory of a typical threat that targets poorly secured medical devices. The implications can be devastating, with the potential for costly data breaches.

An employee (either inadvertently or with malicious intent) installs malware on a connected medical device via a USB drive.

The malware connects the infected device to an external command and control server.

The perpetrator wipes out the data and overwrites a server’s Master Boot Record.

Siemens Healthineers—a global leader in medical imaging, laboratory diagnostics, and healthcare information technology—recognizes that system security is a critical concern among healthcare providers and customers. They employ trusted McAfee embedded security and solutions to ensure that security is designed into their devices at the outset. The Siemens Ultrasound System Security is an embedded antivirus solution powered by McAfee that offers a comprehensive defense against unwanted applications, blocking both known and unknown threats. In addition, their RapidLab1200 blood gas analyzer uses McAfee whitelisting to secure the device and prevent unauthorized applications from running on it. To learn more about how network security can be breached via a medical instrument and how Siemens works with McAfee to protect patient data on blood gas analyzers, view this informational video created by Siemens.

I’m pleased to announce McAfee has completed our acquisition of Skyhigh Networks, now part of the McAfee Cloud Security Business Unit, led by former Skyhigh CEO Rajiv Gupta.

It’s a perfect fit. Skyhigh is an ideal complement to McAfee’s strategy. We’re both passionate about modernizing cybersecurity environments for the future and keeping our customer at the core of every decision we take.

And those customers are increasingly adopting the cloud to transform the way they do business. Yet cloud security is often an afterthought of, or impediment to, cloud adoption itself. This can no longer be acceptable if organizations are to realize the full transformative potential the digital world has to offer.

McAfee is committed to making the cloud the most secure environment for business and offers a cloud portfolio that addresses the three primary challenges of managing multi-cloud environments—visibility into networks, workloads and data; advanced threat protection; and pervasive data protection. Bringing Skyhigh’s cloud capabilities into a McAfee portfolio that already includes market-leading products in the endpoint and security operations center (SOC), gives our customers a company capable of delivering comprehensive threat defense, yet motivated to partnering across an open ecosystem for the same.

And, while bringing Skyhigh into the McAfee family creates a whole greater than the sum of its parts, we’ll be greater still by working with customers and partners who demand the best from the industry’s device-to-cloud cybersecurity company. Thank you for joining us on this journey. Together is power.

The Internet of Things (IoT) has already helped to connect our world in so many ways, bringing huge improvements and convenience to our lives, homes and health. But we’re often guilty of taking it for granted and failing to celebrate the many ways in which being connected supports some of the world’s largest industries, such …

The Internet of Things (IoT) has already helped to connect our world in so many ways, bringing huge improvements and convenience to our lives, homes and health. But we’re often guilty of taking it for granted and failing to celebrate the many ways in which being connected supports some of the world’s largest industries, such as transport, agriculture, manufacturing and even the cities in which we live. With around half of the world’s population now online anddiscovering more and more sectors are turning to tech everyday, I thought it would be a perfect time to highlight some of the fundamental changes IoT has made society what it is today.

Agriculture

Farmers are increasingly using their smartphones for new techniques that improve the production of livestock and field activity – also known as ‘agritech’. This includes looking after the health of cattle, analysing grazing time, and even water consumption through sensor-fitted collars. These can even alert farmers when they sense motions associated with labour from pregnant cattle. Meanwhile, organisations like the Wildlife Conservation Society are monitoring endangered species prone to poaching activities through the use of motion-sensing cameras.

Not only are they finding that IoT minimises their operational costs, but also allows them to achieve better results. For example, harmful pesticides and extreme weather conditions that could have adverse effects on crops can be detected in advance – This way a course of action can be put in place.

Climate and environment

Networking and telecommunications companyEricsson claims that the footprint of IoT could help cut up to 63.5 gigatons of greenhouse gas emissions by 2030. Whilst The International Telecommunication Union predicted that rural areas and developing countries will evolve the way they access electricity and the internet thanks to smarter energy saving solutions.

Various organisations are already providing smarter solutions for protecting the planet, for example, San Franciscan startup, Rainforest Connection, enhanced the protection of forests vulnerable to deforestation including Indonesia and the Amazon. This was achieved by transforming mobile phones into solar-powered listening devices attached to the trees, these are set to alert rangers if they sense the sound of a chainsaw from over a kilometre away. Other examples can be seen through IBM’s China Research Lab and London’s Pigeon Air Patrol, which are scaling up the quality of the city’s air through a forecasting system that monitors pollution levels in different neighbourhoods.

Transport

In many ways, it feels as though the transport industry has long used IoT, thanks to technologies like sensor street lights, speed cameras, and Sat Navs which have been commonplace since 2013. And the innovation hasn’t stopped there – we’re continuing to see plenty of movement in the space, for example, Transport for London (TfL) supports approximately 21 million commuter trips each day – and has predicted that the city will be populated by a total of 10 million people by 2030. It’s no wonder the introduction of Oyster cards in 2003 was a huge success, later to be replaced by a contactless payment system that today accounts for more than one billion journeys. We later saw London’s iconic red buses also go green in 2014 with the introduction of wirelessly charging hybrid buses. Similarly, car manufacturers such as Mercedes, BMW, and Tesla all have plans to launch driverless cars in the near future, with predictions that 10 million self-driving cars will be on the road by 2020.

Although it’s interesting to see the how IoT has become so widespread and had such a massive impact on various industries and people’s lives, it’s almost natural to forget the dangers and risks that come with it or envisage a time when we managed without it. As more and more industries take advantage of the benefits offered by IoT, poorly secured devices pose a growing risk. For this reason we need to remember that all devices need to be protected with secure networks and the latest software. In the age of the internet of things, this will be more important than ever.

To keep up-to-date with the latest cybersecurity news, take a look at the McAfee Security blog here.

It’s nearly 2018. And from the discussions I have weekly, it’s clear that business leaders understand far more about the risk of cyber threats today than they did even a few years ago.

However, so many business leaders I talk to still want to know if they’re doing everything they can to protect their companies.

Answer: They’re not.

The critical missing piece a business leader needs to protect his or her company from cyber threats? It’s a culture of security.

As the world becomes more connected, cybercriminals are finding new ways to attack businesses, to exploit vulnerabilities in technology — and the humans that use it. Some are even using the same innovative technology we use every day to defend ourselves as a weapon against us.

Just this year, we’ve seen new iterations of cyberattacks with unprecedented and chilling repercussions.

In May, ambulances were diverted from some of the 40 hospitals in the United Kingdom that were crippled by the WannaCry ransomware attack. Major U.S. brands have, and will continue to pay big – both in dollars and reputation — for major data breaches that exposed customers’ private information.

So many businesses are doing the basics: They are hiring a Chief Security Officer. They are buying the latest technology that integrates human-machine teaming and artificial intelligence to learn about, adapt to and detect threats. They are establishing baseline protocols for maintaining a secure environment.

But it’s no longer enough to just cover your bases. Cybercriminals are getting smarter and they’re still finding ways in.

A culture of security is the piece that activates all those security best practices and investments in technology. It’s the marker determining whether or not any of those things are worth it.

So how do business leaders do it?

First – they must get their employees on board. Employees can be a company’s biggest vulnerability or its first line of defense. That means building security into the vision and values of a company. And getting employees to acknowledge and commit to the security culture.

Businesses need technology that supports rather than inconveniences employees so that they’re motivated to make smart decisions, rather than looking for work-arounds.

And businesses need to think security first – whether that’s in designing new products and services, signing partnership agreements, in hiring new employees or anything else.

At McAfee, we’re building security into our culture not just because we live and breathe this stuff everyday – but because the business imperative for every company to protect themselves from unavoidable threat requires it. Join us.

One year on. It is fair to say that the No More Ransom project not only exceeded our expectations, but simply blew these initial expectations out of the water. A collaboration between six partners (McAfee, EC3, Dutch Police, Kaspersky Lab, AWS and Barracuda) has now grown to include more than 100 partners across the public and private sector. We often hear people talk about Public-Private Partnerships, but here is a true example of that commitment in action.

One year on. It is fair to say that the No More Ransom project not only exceeded our expectations, but simply blew these initial expectations out of the water. A collaboration between six partners (McAfee, EC3, Dutch Police, Kaspersky Lab, AWS and Barracuda) has now grown to include more than 100 partners across the public and private sector. We often hear people talk about Public-Private Partnerships, but here is a true example of that commitment in action.

Because of this commitment from all the partners, this initiative has resulted in the successful decryption of more than 28,000 computers. Let us put that into context, for zero cost, victims of ransomware who do not have to be customers of any security provider can get their data back for nothing. They don’t have to fill in a survey, enter their email address, provide their credit card details, in fact they don’t even have to worry about obfuscating their IP address. For the first time, there is another option. No longer are victims faced with the option of a) lose my data or b) pay criminals.

So thank you to all of our partners, thank you to those of you that tweeted, blogged about it. This site has been successful, in fact so successful that we even have ransomware named after us.

Of course, the Queen of England gets a boat named after her, we get ransomware! Well that’s okay, because it shows that as the tens of millions of dollars we have prevented going into the hands of criminals, they have taken notice.

We will not stop, in fact, we need more partners, more decryption tools, and more successes. The message of #DontPay seems to be working (as we witnessed with WannaCry and nPetya), and we will continue in our efforts to hurt the bottom line of criminals.

Artificial intelligence and machine learning have never been more prominent in the public forum. CBS’s 60 Minutes recently featured a segment promising myriad benefits to humanity in fields ranging from medicine to manufacturing. World chess champion Garry Kasparov recently debuted a book on his historic chess game with IBM’s Deep Blue. Industry luminaries continue to opine about the potential threat by AI to human jobs and even humanity itself. Much of the conversation focuses on machines replacing humans. But the fact is the future doesn’t have to see humans eclipsed by machines.

Artificial intelligence and machine learning have never been more prominent in the public forum. CBS’s 60 Minutes recently featured a segment promising myriad benefits to humanity in fields ranging from medicine to manufacturing. World chess champion Garry Kasparov recently debuted a book on his historic chess game with IBM’s Deep Blue. Industry luminaries continue to opine about the potential threat by AI to human jobs and even humanity itself. Much of the conversation focuses on machines replacing humans. But the fact is the future doesn’t have to see humans eclipsed by machines.

In my field of cybersecurity, as long as we have a shortage of human talent, and, as a 451 Research report released this week illustrates, we must rely technologies such as these to amplify the capabilities of the humans we have. Furthermore, as long as there are human adversaries behind cybercrime and cyber warfare, there will always be a critical need for human intellect teamed with technology.

We recently commissioned 451 Research to delve into this area in one of its Pathfinder Advisories. Released this week, the report nicely frames the concept of “human-machine teaming” in cybersecurity. It identifies ways in which we can use machine learning to overcome the challenges of protecting organizations and do so with an insufficient number of cybersecurity professionals.

Machine learning means security teams are better informed so they can, therefore, make better decisions. Security executives realize that the intelligence and creativity of their security operations experts are critical business resources. Machine learning is a technology that allows chief security officers (CSOs) to get the most out of human and security product assets.

Adversaries are human, continuously introducing new techniques. Creative new tactics and strategies dealt by adversaries force security teams to employ machine learning to automate the discovery of new attack methods. Creative problem solving and the unique intellect of the security team strengthen the response.

Machine learning becomes more accurate as more data is available to feed its algorithms. Enhancements in handling big data using high-performance and massive-capacity storage architectures have enabled the growth of artificial intelligence.

IT teams need help analyzing faults. In those rare instances when endpoint security cannot prevent damage from an attack, machine learning accumulates relevant data elements into one place, placing it at the fingertips of security analysts when needed.

Machine learning has enabled us to improve the accuracy of hurricane forecasting from within 350 miles to within 100 miles. Nate Silver’s best seller The Signal and the Noise notes that although our weather forecasting models have improved, combining this technology with human knowledge of how weather systems work has improved forecast accuracy by 25%. Such human-machine teaming has literally saved thousands of lives.

As we implement machine learning deeper into our cyber defenses, we must recognize that humans are good at doing certain things and machines are good at doing certain things. The best outcomes will come from combining them. Machines are good at processing massive quantities of data and performing operations that inherently require large scales. Humans have strategic intellect, so they can understand the theory about how an attack might play out even if it has never been seen before.

Of course, thunderstorms are not trying to evade the latest in machine learning technologies applied by human beings. Cybercriminals are.

Cybersecurity is very different from other fields that employ big data, analytics, and machine learning because there is an adversary trying to reverse engineer your models and evade your capabilities. Security technologies such as spam filters, virus scans, and sandboxing are still part of protection platforms, but their industry buzz has cooled since criminals began working to evade their technology.

Based on the information they receive, IT security staff on the front lines of an attack can anticipate new evasion techniques, exploits, and other tactics in ways detection models based on the past cannot. A major area in which we see this playing out is attack reconstruction, where technology assesses what has happened inside your environment, and then engages a human to work on the scenario.

Efforts to orchestrate security incident responses can benefit tremendously when a complex set of actions is required to remediate a cyber incident. Some of those actions might have very severe consequences to networks. Having a human in the loop not only helps guide the orchestration steps, but also assesses whether the required actions are appropriate for the level of risk involved.

The 451 report asserts that machine learning will manifest itself by optimizing the cyber professional’s user experience, automatically flagging suspicious behavior, and by automatically making high-value investigation and response data available. In this way, says the report, IT security teams will have “the ability to rapidly dismiss alerts and accelerate solutions that thwart new threats.”

In threat intelligence analysis, attack reconstruction, and incident response orchestration, human-machine teaming takes the machine assessment of new information and layers upon it the intellect that only a human can bring.

Doing so can lead us to better outcomes in all aspects of cybersecurity. Now more than ever, better outcomes are everything in cybersecurity.

Ransomware follows a relatively simple model: data is encrypted, the victim pays, data is decrypted. At least that is what those who create ransomware want you to believe. This was also our assumption when we began our analysis of WannaCry—that those behind the campaign would decrypt victims’ data once they received payment. However, for a campaign with incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments, we found a major flaw: The WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.

This post summarizes the significant efforts of a McAfee threat research team that has been relentless in its efforts to gain a deeper understanding of the WannaCry ransomware. We would like to specifically acknowledge Christiaan Beek, Lynda Grindstaff, Steve Grobman, Charles McFarland, and Kunal Mehta for their efforts.

Ransomware follows a relatively simple model: data is encrypted, the victim pays, data is decrypted. At least that is what those who create ransomware want you to believe. This was also our assumption when we began our analysis of WannaCry—that those behind the campaign would decrypt victims’ data once they received payment. However, for a campaign with incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments, we found a major flaw: The WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.

Technical summary

Our analysis into the encryption and decryption functions within WannaCry reveals an effective tool set. The authors:

Created an 8-byte unique identifier (via CryptGenRandom) that identifies the current machine and all the encrypted files on that machine. This ID is used in all communications with the back end and is intended to allow per-user decryption. (See “Can the attackers be contacted?” for details.)

Developed a (somewhat unreliable) back end that keeps track of which users have encrypted files. (See “Can the authors respond? Can they return a private key?”)

Made file decryption possible, provided that the “Check Payment” interaction with the back end results in the decrypted key being written to 00000000.dky. The authors know if the returned data is a key or a message to be displayed to the user. The authors must have tested this at least once, and have thus tested full decryption where the need for the correct private key was clearly known. (See “Recovering the user’s private key”)

WannaCry appears to have been written by (at least] two authors or teams with different motives:

One author favored Win32 APIs and wrapping those APIs or using object orientation.

The other author favored C, common APIs (such as fopen), and long procedural functions. They may have been responsible for weaponizing the file encryptor/decryptor, but we do not know. If we are correct, this code probably introduced the unique ID idea but the interface was not updated to include a way to associate the ID with the user’s Bitcoin wallet.

The WannaCry authors demonstrated good technical governance, for example, the key handling, buffer sanitization, and private key security on disk using a strongly encrypted format. It is odd that with such good governance, the same group neglected to include something as essential as a unique ID for a user (or instance of attack) because this is mandatory to decrypt a specific user’s files. While much of the initial analysis described the WannaCry campaign as “shoddy,” the use of good technical governance suggests that there are elements of this campaign that are well implemented.

This competence raises doubts that the campaign was shoddy. Given the level of capability demonstrated, we would expect the developers would have found and fixed basic errors. Indeed, could the inclusion of these basic errors be an attempt to make the campaign appear amateur? Without apprehending those behind the campaign, it is impossible to know their motivation; yet a thorough analysis of the technical artefacts questions the shoddy theory.

Motivations

What were the attackers’ motives? Is this real ransomware or something else? For a particular ransomware family to make money in the long term, it must be able to encrypt and decrypt files, and have a reputation that once payment is sent, data can be recovered.

To keep ransom payments flowing, the authors used current messaging infrastructure to ask users to send their Bitcoin wallet IDs to the attackers. This is the same messaging infrastructure that ultimately delivers the user’s private key, allowing full decryption.

However, there is limited evidence from the field that payment yields data decryption.

To test key components of the ransomware

This is likely because the malware contains almost no reverse engineering and debugging protection.

We have already seen new WannaCry variants that are harder to analyze because components download 24 hours or so after infection time.

To disrupt

Ransomware as a destructive mechanism. The use of ransomware to destroy or generate noise, though not common, would be a particularly effective tactic.

Determining the authors intent is not trivial, and likely not possible with the information available. However, to get closer to an answer, the question we need to answer is whether WannaCry is fully functional. Analyzing that leads to a few detailed questions that we explored:

Can WannaCry decrypt files?

Can the authors be contacted?

Can the authors respond? Can they return a private key?

Does WannaCry prevent the recovery of files?

Does WannaCry prevent the recovery of key material?

Is WannaCry fully functional?

WannaCry can communicate with a back end that maintains its state and prevents the recovery of key material and file data. If one has the user’s private key, the user’s data can be recovered. Despite its bugs and design issues, WannaCry is effective. It is not high quality or well implemented, but it is effective.

Can WannaCry decrypt files?

The short answer is Yes. WannaCry’s encryption, key management, and file formats have been documented by McAfee Labs, so we will not cover that here. Instead, we will focus on the decryption tool, which we know makes use of the following API sets:

Using WinDbg or IDA Pro, we can set conditional breakpoints on the APIs used by @WanaDecryptor@.exe and dump out useful information. Given the lack of debugging protection in the ransomware, this is one of the fastest ways to understand WannaCry’s behavior.

Sample decryption

To encourage users to pay the ransom, the decryption tool @WanaDecryptor@.exe can decrypt a small number of files for free. After the “free” files have been decrypted, the decryptor looks for the file 00000000.dky, which should contain the user’s private key. If found, this key is used to decrypt all files on the system. If we have the user’s private key, can we decrypt all files?

Recovering the user’s private key

To prove that decryption is possible, we need the private key:

Break on CryptGenKey and get the handle to any created key pair.

Break on CryptExportKey and watch the export of the public and private keys to memory.

Here we can steal the private key and check if decryption works.

[Optionally] put break points showing the encryption of the private key with the attacker’s public key (hardcoded within the encryptor binary), and save it to disk in 00000000.eky.

To analyze the key creation, we can use the following breakpoints:

Figure 1: Crypto API breakpoints for key import and export.

As WannaCry initializes, it calls CryptGenKey to generate a new random key, the handle to which is returned in the fourth parameter.

Figure 2: Creating a new random key.

Next, WannaCry exports the public key from the generated key and saves it to the file 00000000.eky. Note the presence of 0x06 and RSA1. This indicates that the exported key blob is a public key. To view the key blob, save the address of the buffer and buffer size in temporary registers, allow the function to return, and dump the key blob using the address and size values from the temporary registers.

Figure 3: Capturing the user’s public key.

Next, WannaCry exports the private-public key pair to memory. Note the presence of 0x07 and RSA2 in the exported buffer.

Figure 4: Capturing the user’s private-public key pair.

Immediately afterward, WannaCry encrypts the user’s private key with the attacker’s public key and writes the file to 00000000.eky. The contents of this file are sent to the attackers when the user clicks “Check Payment” (as discussed further in “Can the attackers be contacted?”).

At this moment, the private-public key pair is easily recoverable, so we can issue a command to dump that memory to a file, as shown below:

Figure 5: Writing the private key to disk from WinDbg.

In Figure 5, we have given the private key almost the correct name. If the file 00000000.dky exists and contains a valid private key that can decrypt files, WannaCry will abort its encryption run. To decrypt files, rename the file to 00000000.dky once all files have been encrypted, and click on Decrypt.

Figure 6: Dialog after WannaCry successfully decrypts all files.

Based on this analysis, WannaCry is capable of per-user decryption, provided that WannaCry can send the user’s private key to the back end, receive the private decrypted key, and place it in the correct location.

Can the attackers be contacted?

WannaCry provides two methods of communication with the attackers: the “Contact Us” link and the “Check Payment” button on the main decryptor interface, shown below in Figure 7.

Figure 7: WannaCry’s Decryptor interface.

If WannaCry allowed recovery, both interface controls should function. Assuming that all communication is over standard network sockets, we can inspect the traffic in real time using WinDbg/IDA Pro with the breakpoints in Figure 8.

Figure 8: Breakpoints for analyzing network traffic.

Our goal is to determine what is being sent to and received from the back end. The detail is not shown here, but WannaCry makes use of TOR to anonymize communications with the attackers, cycling through many TOR servers. We looked for the user’s private key being sent to the back end, where we expected it to be decrypted and sent back if the user had paid the ransom (or if the attackers had decided to randomly decrypt a user’s key). We found one message that was large enough. An example is shown in Figure 9.

Figure 9: A large and interesting buffer sent to the back end.

However, the data did not match any part of the user’s private key stored on disk; could this communication be encrypted? Looking at the call stack, we saw several frames:

Figure 10: Post encryption send call stack.

Looking at the previous frame, we saw a simple wrapper around ws2_32!send, so this is not an encryptor.

Figure 11: ws2_32!send wrapper.

Looking at the frame before the send wrapper in Figure 11, we found a reasonably long function beginning at 0x0040d300 that appears to be responsible for obfuscating the buffer, and we confirmed that using IDA Pro with a second breakpoint, as shown below:

Figure 12: Message obfuscator function breakpoint.

Rerunning our Check Payment debugging run, our new breakpoint fired and revealed the message to be sent prior to obfuscation:

Figure 13: Message to be sent to back end.

The message encodes information that identifies the user. We color-coded the message components in Figures 13 and 15:

Green: The 8-byte unique ID stored in the first 8 bytes of 00000000.res. This is created by a call to CryptGenRandom during WannaCry’s initialization and persists for the life of the attack.

Orange: The computer name retrieved with GetComputerNameA.

Red: The user’s name retrieved by GetUserNameA.

Bold: The Bitcoin wallet ID that the user should have sent money to, and the amount that the user should have paid.

Cyan: The encrypted user’s private key as read from 00000000.eky.

Based on the message content, it is reasonable to assert that the attacker’s back end receives all the information required to identify users who have paid the ransom, and should be able to perform per-user decryption, provided there is a mechanism for users to tie their Bitcoin transfers to the 8-byte unique ID that represents their specific encryption instance. However, we found no mechanism to do this and there are no interface elements or instructions to help.

Running the same experiment using the Contact Us interface shown in Figure 14, we sent a message “Hey! Can I have my files back?” to the attackers, and using our breakpoint from Figure 12, we determined that a common messaging framework is used.

Figure 14: Messaging interface.

Figure 15: Message sent to back end.

The results in Figure 15 show:

Both Check Payment and Contact Us appear to use a common messaging format

8-byte unique ID, machine name, username is always sent.

The payload can vary according to message type.

As a result, we conclude that the attackers should have been able to uniquely identify a user but they clearly omitted a mechanism to tie a payment to an ID, making per-user decryption technically impossible.

Can the authors respond? Can they return a private key?

Shortly after its release, Check Payment began returning a message to users instructing them to use the Contact Us mechanism to send the users’ Bitcoin wallet addresses, as shown in Figure 16.

Figure 16: Request for a Bitcoin wallet address.

This message confirms that the attackers can respond. It also gives us an opportunity to analyze the flow of Check Payment messages. Using the same send and recv breakpoints from Figure 8, we received the following obfuscated message:

Figure 17: Encrypted response received from attackers.

Using the following breakpoint, we then watched for that data being written to the obfuscated buffer; if the obfuscation removal occurs in place, we should be able to look at the decrypted buffer.

Figure 18: Message decryption breakpoint.

Once the breakpoint fires, we saw that the message was modified in place:

Figure 19: In-place decryption of the encrypted message.

Our analysis of the function in question in WinDbg and IDA Pro indicated that on return the message was in plain text. Issuing the gu command to step out of the function, we saw the message decrypted, as shown in Figure 20.

Figure 20: Decrypted check-payment message.

This is the same message that we saw displayed in the dialog box, so end-to-end communication is working. But, how is this message used? Again, we made use of a hardware breakpoint, as shown in Figure 21.

Figure 21: Hardware breakpoint to track the decrypted message.

The preceding breakpoint triggers during a call to fwrite to 0000000.dky; the message is written to a file that should contain the user’s private key, as shown below in a subsequent call to WriteFile as part of fwrite, fflush.

Figure 22: Entire message being written to 00000000.dky

The entire message, or whatever was sent back to the decryptor, is written to the file 00000000.dky. Thus we conclude that Check Payment should return a crypto API key blob for the user’s private key. By enabling our key import breakpoint shown in Figure 1, we verified this, as shown below:

Figure 23: The decrypted message imported as a key in CryptImportKey.

Note the value of eax at the bottom of Figure 23 after CryptImportKey has returned: eax is 0, which means that CryptImportKey failed. If CryptImportKey fails, then WannaCry eventually deletes 00000000.dky and displays the message to the user. If CryptImportKey succeeds, the user can successfully decrypt all the files.

From this analysis, we conclude:

The WannaCry communication fabric is active and can return messages.

The WannaCry back end is live and tracking users because the help message is returned only once.

The WannaCry client expects that a message or private key can be returned from the back end:

If the message is not a private key (CryptImportKey fails), the client assumes the message is text that should be shown to the user.

Private keys are left on disk in 00000000.dky and allow the user to decrypt their files.

Decryption does not work because the authors omitted a link between payment and the unique ID. But what happens if a user follows the instructions and sends the Bitcoin wallet ID to the attackers? Can the victim decrypt files? So far, a tiny sample of victims have reported the decryption of files, but this appears not to be tied to the payment-making function.

Although the message indicates that a user may be able to get the files back (which supports the theory of shoddy design), our limited testing indicated that decryption keys are not returned and files cannot be restored even after payment, which adds weight to the possibility that WannaCry is a prank or test.

Does WannaCry prevent recovery of file data?

Yes and no. There has been a lot of excellent research showing that in some circumstances, files are recoverable:

Files on removable and nonsystem volumes.

Read-only files.

Temporary files.

Files stored in the Desktop and Documents folders are the hardest to recover. What does this mean for our theories? Both are still supported:

There is a difference between not realizing that per-user file decryption can never work without the unique ID and running into filesystem processing bugs for large batch operations; errors in batch processing are much easier to explain.

Prank: The techniques for preventing recovery support the theory that the developers did not go to great lengths to prevent recovery from unpredictable folders and devices:

Removable, network, and fixed nonsystem volumes may support file carving as a recovery technique. This is also true for devices that make use of wear leveling.

Desktop and documents folders are commonly file locations. Many users would not be able to recover most of their files.

We do not believe that WannaCry file data recovery prevention strongly supports either thesis.

Does WannaCry prevent recovery of key material?

The most important key for data recovery is the user’s private key. We used hardware breakpoints to see what happens to the exported key blob in our earlier example, as shown below:

Figure 24: Hardware breakpoint to trigger on writes to the key blob.

When this breakpoint fires, we found the following code zeroing out the exported key blob:

Figure 25: Assembly of code that modifies the exported key blob.

Thanks to care taken with data sanitization (such as that shown in Figure 25) and the correct use of CryptDestroyKey, WannaCry keeps the user’s private key in a nonencrypted form for the shortest possible time. Thus private key recovery is impractical beyond exploiting issues in the Windows APIs (as described by other authors).

Although the attacker’s motive may remain unknown for some time, we commend the response from victims, who have generally decided to not pay. Our research continues into this campaign; we will release more data as more information arises.

]]>https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-really-ransomware/feed/0WannaCry: The Old Worms and the Newhttps://securingtomorrow.mcafee.com/executive-perspectives/wannacry-old-worms-new/
https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-old-worms-new/#commentsSat, 13 May 2017 05:42:14 +0000https://securingtomorrow.mcafee.com/?p=73980

The morning of Friday, May 12 multiple sources in Spain began reporting an outbreak of the ransomware now identified as WannaCry. Upon learning of these incidents, McAfee immediately began working to analyze samples of the ransomware and develop mitigation guidance and detection updates for its customers. By Friday afternoon, McAfee’s Global Threat Intelligence system was …

The morning of Friday, May 12 multiple sources in Spain began reporting an outbreak of the ransomware now identified as WannaCry.

Upon learning of these incidents, McAfee immediately began working to analyze samples of the ransomware and develop mitigation guidance and detection updates for its customers.

By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to all its customers.

McAfee urges all its customers to ensure these DAT updates have been applied, and furthermore ensure that security updates are applied for all the software solutions they use. For more information, read this Knowledge Center article.

This week’s attacks leveraging the WannaCry ransomware were the first time we’ve seen an attack combine worm tactics along with the business model of ransomware. The weaponization of the Eternal Blue exploit made public weeks ago, and unpatched MS-17-010 Windows OS vulnerabilities by the thousands enabled WannaCry to infect hundreds of thousands of computers, across industries, across continents, and within just a day. Furthermore, these attacks accomplished all this with little or no human involvement, as is typically the case in other ransomware campaigns.

A hybrid of the proven, less the human

WannaCry’s success comes down to its ability to amplify one attack through the vulnerabilities of many machines on the network. The impact of the attack is much greater than what we’ve seen from traditional data ransomware attacks.

Almost all of the ransomware we see in the wild today attack individual users typically through spear-phishing, meaning victims receive an email that appears to be coming from a legitimate source, it lures the victim into clicking on a link or opening an attachment that downloads or executes malicious code on his or her system. But it only impacts that victim’s one computer.

If you think back to the late 90s and early 2000s, when we had Code Red, NIMDA and SQL Slammer, those worms spread really rapidly because they didn’t require a human to take any action in order to activate the malware on the machine. This week’s attacks did something very similar.

We’re still working to determine how a “patient zero” machine became infected, but, once it was, if other machines hadn’t received the MS-17-010 vulnerability patch, they were infected over their network.

Instead of stealing data or damaging other machines, the malware executed a classic ransomware attack, encrypting files and demanding a ransom payment. The attack essentially combined two techniques to produce something that was highly impactful.

With WannaCry, if the configuration of machines within an organization possessed the Microsoft vulnerability (addressed by Microsoft in March), the ransomware could infect one machine and then move very rapidly to spread and impact many other machines that still had not been patched.

What we’ve typically seen with cybercrime is that when any technique is shown to be effective, there are almost always copycats. Given that this appears to have been quite an effective attack, it would be very reasonable for other attackers to look for other opportunities. One of the things that makes that difficult is you need to have a vulnerability in software that has characteristics that enable worm-like behavior.

What’s unique here is that there is a critical vulnerability that Microsoft has patched, and an active exploit that ended up in the public domain, both which created the opportunity and blueprint for the attacker to be able to create this type of malicious ransomware worm capability.

Open for exploit

In the late 90s, it was common practice to leave all sorts of software running on machines even if it wasn’t used. For instance, one of the worms in the 90s took advantage of a vulnerability in a print server which was by default included on all servers even if there wasn’t a printer attached to the configuration of systems. That could enable a worm to connect to that printer port on all of the servers on a network, creating a worm propagation scenario that infected system after system.

A common practice for addressing this since those days is a best practice known as “least privilege,” which allows an application or service to run only the things on a machine or network that that entity needs to complete a task or function specific to its particular role. Least privilege has reduced the chances of the traditional worm scenario, but unpatched vulnerabilities mimmick this “open” element available for exploit, particularly if such vulnerabilities enable things such as file transfer or sharing across systems.

It would be difficult to orchestrate attacks such as the WannaCry campaign, without all the unpatched vulnerabilities, the publicly released exploit, and a set of proven ransomware technologies and tactics at the attacker’s disposal.

To patch or to not to patch

WannaCry should remind IT of the criticality to apply patches quickly. Part of the reason IT organizations hesitate to patch or run an internal quality assurance process is to ensure that there aren’t software incompatibility issues. One way I like to think about this is that whenever a patch must be applied, there is a risk to applying a patch, and a risk to not applying a patch. Part of what IT managers need to understand and assess is what those two risks mean to their organizations.

By delaying deployment of a patch, they can mitigate risk related to application compatibility. By delaying a patch, they are increasing the risk of being compromised by a threat exploiting a vulnerability. IT teams need to understand for each patch, what those levels of risk are, and then make a decision that minimizes risk for an organization.

Events such as WannaCry have the potential to shift the calculus of this analysis. One of the problems we often see in security is that the lack of an attack is sometimes interpreted as having a good defense. Companies that have become lax in applying patches may have not experienced any attacks that take advantage of those vulnerabilities. This can reinforce the behavior that it’s okay to delay patching.

This episode should remind organizations that they really do need an aggressive patching plan in order to mitigate the vulnerabilities in their environment.

Why the hospitals?

Hospitals fall into a category I think of as “soft targets,” meaning hospitals generally focus on patient care as their top priority, as opposed to having the best cyber defenders on staff and best cyber defense technologies in place.

The reason for this is that, traditionally, there was very little incentive for cybercriminals to attack a hospital. They could potentially steal patient records or other data, but the total value of data from a hospital would typically be less than that of the bulk data stolen from other industries such as financial services.

What ransomware has done as a criminal business model is provide an incentive to attack any organization. Given that criminals are demanding a ransom, it’s far easier to exploit an organization with weaker cyber defenses than an organization with stronger cyber defenses, which is why we’ve seen hospitals, schools, municipal police departments, and universities become victims of ransomware over the last year. While we’re now starting to see the targeting of “harder” organizations as well, at least for now, there are a lot of opportunities for criminals to continue to target these soft target organizations.

What next?

Although this attack is something new, and something we need to be thoughtful of, when we see such a vulnerability occur in the wild, and an exploit published that could be used by cybercriminals, we should always expect and be prepared for this kind of attack, and many more copy-cat attacks following soon after.

Charles McFarland was a coauthor of this blog. Over the course of Friday, May 12 we received multiple reports of organizations across multiple verticals being victim to a ransomware attack. By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to …

Over the course of Friday, May 12 we received multiple reports of organizations across multiple verticals being victim to a ransomware attack. By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to all its customers. But the wave of attacks ranks as one of the most notable cyber events in history.

Once infected, the encrypted files contain the file extension .WNCRYT. Victims’ computers then proceed to display the following message with a demand for $300 to decrypt the files.

Observations

Exploit MS17-010:

The malware is using the MS17-010 exploit to distribute itself. This is a SMB vulnerability with remote code execution options. Details at https://technet.microsoft.com/en-us/library/security/ms17-010.aspx . Exploit code is available on multiple sites, including this example: https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb.

This exploit is also known as the Equation Group’s ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers a couple of weeks ago.

With MS17-010, the attacker can use just one exploit to get remote access with system privileges, meaning both steps (Remote Code Execution +Local Privilege Escalation combined) use just one bug in the SMB protocol. Analyzing the exploit code in Metasploit, a popular hacking tool, we see the exploit uses KI_USER_SHARED_DATA, which has a fixed memory address (0xffdff000 on 32-bit Windows) to copy the payload and transfer control to it later.

By remotely gaining control over a victim’s PC with system privileges without any user action, the attacker can spray this malware in the local network by having control over one system inside this network (gaining control over all systems that are not fixed and are affected by this vulnerability), and that one system will spread the ransomware to all vulnerable Windows systems not patched for MS17-010.

Behavior

By using command-line commands, the Volume Shadow copies and backups are removed:

McAfee urges all its customers to ensure McAfee’s DAT updates have been applied to ensure the latest protection. We furthermore advise customers to be diligent in applying security updates for all the software solutions they use.

]]>https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/feed/5CIOs: You need to have the cloud talk with your staffhttps://securingtomorrow.mcafee.com/executive-perspectives/cios-need-cloud-talk-staff/
https://securingtomorrow.mcafee.com/executive-perspectives/cios-need-cloud-talk-staff/#respondMon, 08 May 2017 16:15:23 +0000https://securingtomorrow.mcafee.com/?p=73656

CIOs, it is time to have a frank and open discussion with your staff. This conversation may be difficult or awkward, as it involves topics such as consent, privacy, and appropriate protection. Yes, you need to speak with your staff about the organization’s cloud strategy, and any deployment or security issues that they are facing. …

CIOs, it is time to have a frank and open discussion with your staff. This conversation may be difficult or awkward, as it involves topics such as consent, privacy, and appropriate protection. Yes, you need to speak with your staff about the organization’s cloud strategy, and any deployment or security issues that they are facing.

Cloud First strategies are predominantly driven from the top-down, per McAfee’s 2017 cloud adoption and security report However, for many of the organizations involved in the study, there appears to be a slight disconnect between the C-suite and staff. Overall, C-level executives, such as CIOs, CSOs, and CISOs, displayed a more positive attitude towards cloud-based operations than the non-executive respondents.

Within your organization, it is important to uncover any gaps in perception and determine what is causing them. Are the reasons for a Cloud First strategy not getting clearly communicated down the chain? Are your staff seeing operational issues that are not making it to your office? Or is your staff concerned that cloud adoption is putting their jobs at risk.

The McAfee 2017 cloud study provides some valuable clues and discussion points for your staff meeting. Based on the survey results, 92% of execs stated that they are following a Cloud First strategy, but only 80% of staff agreed. There were also significant gaps in the number and types of cloud services in use, amount of sensitive data stored in the cloud, and plans for future cloud investments. An organization-wide inventory of cloud services in use, data types and locations, and budgets would be an excellent way to start the meeting. The results of this inventory will likely surprise most people in the room, and form the foundation for a discussion of operational and staffing concerns.

According to the survey, the biggest gaps in operational concerns between staff and executives relate to costs, compliance, unauthorized access, and Shadow IT. Staff were more concerned about costs than executives, which may be directly related to lack of information about budget plans, mentioned above. However, staff were also more concerned about unauthorized access to sensitive data and their ability to maintain compliance with regulations than the execs. These concerns should be the focus of a deep dive across the organization, to identify whether there are significant gaps in security and privacy controls. At the same time, executives were more concerned about Shadow IT than staff. When Shadow IT apps are found, staff were more likely to favor blocking access to unauthorized applications, while execs preferred data loss prevention tools. Depending on the results of y our discussion, clear communication throughout the organization about the risks and consequences of Shadow IT appears to be needed.

Finally, staff may feel that they lack the necessary job skills for a Cloud-First IT department. Over half of the executives reported that they have slowed their cloud adoption due to a skills shortage, and almost a third reported that they are continuing despite a skills shortage. However, the execs ranked this concern lower than staff did, which may be inadvertently sending the message down the chain that staffing changes are coming. Based on earlier research from McAfee, it is easier and more effective to invest in security training for existing staff than to find and hire experienced security professionals.

The transformation to cloud services is having a significant impact on the efficiency and effectiveness of organizations of all sizes, and the IT department is probably impacted more than most. Based on the results of this study, there are some small but possibly significant gaps between C-level executives and their staff, that should be addressed before they impact the organization’s security posture.

On November 17, 2016, Shamoon malware struck once more. As with the first Shamoon assault five years ago, the target was Saudi Arabia. But while earlier attacks focused on critical oil and gas infrastructure, last fall’s campaigns targeted Saudi government institutions, financial services, and other sectors. The objective was to gather information on individuals and …

As with the first Shamoon assault five years ago, the target was Saudi Arabia. But while earlier attacks focused on critical oil and gas infrastructure, last fall’s campaigns targeted Saudi government institutions, financial services, and other sectors. The objective was to gather information on individuals and organizations and wipe critical systems clean. With aggressive assaults across such a broad scope of attack surfaces, the latest Shamoon campaigns were nothing short of attempts to disrupt an entire nation.

Such an effort isn’t audacious given other events over the last several months. We’ve heard the revelations about the breach at Yahoo, watched the Mirai DDoS attack disrupt huge swaths of the Internet, and tried to come to terms with a DNC hack that many say influenced the American democratic process. The re-emergence of Shamoon is just the latest reminder that life and liberty can be imperiled by cyber-attacks.

It’s time—once again—for all of us to raise the stakes in our cybersecurity fight. We must match the audacious efforts of our adversaries with our own.

On the heels of the “new” McAfee launch, we are taking an important step in this effort by increasing investments and resources to fight and win with cyber threat research. Those investments are already starting to pay off, and last week we released new research on the evolution of the Shamoon cyberespionage campaigns that have ravaged the Middle East for half a decade.

The report identifies overlapping technology, tactics, and infrastructure among disparate Shamoon cyber campaigns in Saudi Arabia, and suggests there is one actor behind all the campaigns, rather than numerous independent cyber gangs. We further uncover that the actor has dramatically improved the sophistication of their attacks since 2012.

The research is the work of our Strategic Intelligence group, which works closely with our services organization’s Advanced Programs Group (APG). Led by Chief Scientist and McAfee Fellow Raj Samani, the group complements McAfee Labs’ threat intelligence analysis and Advanced Threat Research’s vulnerability research with an investigative specialization across several essential areas. These include advanced malware, ransomware, cyber campaigns and networks, financial fraud, cyber espionage, cyberwarfare, and protection of industrial controls.

Last week’s report reveals the first of many insights the group will provide our customers, partners, and law enforcement. The work is just one example of the “new” McAfee’s audacious effort to raise the stakes in the fight against our adversaries.

Attacks by cybercriminals, rogue states, or stateless actors, wherever they are targeted, are a threat to us all. Please join me in elevating our commitment to putting malicious actors where they belong—out of business.

Threats against the Industries Today’s devices are becoming more internet-connected as we speak. As our world becomes further intertwined with technology, new doors open directly into our lives for potential threats. Hackers are quickly advancing with their attacks, making it detrimental for end users if security is not provided. Consumers within the retail, medical, industrial …

Threats against the Industries

Today’s devices are becoming more internet-connected as we speak. As our world becomes further intertwined with technology, new doors open directly into our lives for potential threats. Hackers are quickly advancing with their attacks, making it detrimental for end users if security is not provided. Consumers within the retail, medical, industrial controls and now even the automotive industries are concerned with using devices in their environment due to the potential risk of a cyber attack. Thus, it is critical for device manufacturers and embedded OEMs to provide security within their devices.

The estimated cost of an average cyber attack is $15 million. Approximately 12 million records were breached in just the first half of 2016 in the retail industry. From 2013 to 2016, the number of breaches in the medical Industry have nearly doubled. Within the industrial control industry, more than half of the critical infrastructure organizations have suffered from breaches in the last year. Additionally, in the automotive industry, automobiles are not immune to cyber attacks as well.

The benefits of partnering with McAfee

The McAfee Embedded OEM team is partnering with industry leading device manufacturers and embedded OEMs such as Siemens Healthineers, Schneider Electric, NCR, and Toshiba to embed security solutions within their devices and ensure the safety and privacy of customers.

Our security products feature anti-malware protection, comprehensive threat awareness and analysis, strong data encryption, and is topped off with streamlined security management, making it effective against threats yet simple enough to manage. With embedded security solutions, customers will be compliant and can avoid incidents that can result in high maintenance and service costs.

Our team is committed to be our embedded OEM partner’s #1 security vendor. We know that no one person, product, or organization can fight cybercrime alone. We simply believe that there’s power in working together. People working together. Products and solutions working together. Organizations and industries working together.

Let’s work together because Together is Power.
For more details about becoming an OEM partner, please visit our site: www.mcafee.com/oem

Naming the recent data-wiping attacks in Saudi Arabia as a continuation of the Shamoon campaign suggests that we are dealing with identical malware and procedures. However, there are fundamental differences between the campaigns of 2012 and 2016‒17, and these differences provide a fascinating insight into the development process of the attackers. When we look at …

Naming the recent data-wiping attacks in Saudi Arabia as a continuation of the Shamoon campaign suggests that we are dealing with identical malware and procedures. However, there are fundamental differences between the campaigns of 2012 and 2016‒17, and these differences provide a fascinating insight into the development process of the attackers.

When we look at this campaign from a high level (preceding image) and at the shared characteristics (in red), we find quite a lot in common. Let’s examine in more detail:

When we look more closely into the phases of the cyberattack “kill chain,” and their modus operandi, we see differences that lead to more questions, as well as interesting findings.

Reconnaissance

In the reconnaissance phase of the 2012 attacks, the adversaries used scanning tools and a pirated copy of penetration-testing software Acunetix Security Scanner to find possible vulnerabilities on the victims’ outward-facing servers. An example of this scanning follows in an excerpt from an intrusion detection system log:

After finding a possible exploit, the adversaries uploaded web shells to gain remote access and used the web shells’ functionality to harvest usernames and credentials.

In analyzing attacks, we look at the capabilities and skills actors use. In examining how well an adversary knows its target and infrastructure, we classify this type of noisy scanning and hoping for an exploit as novice behavior. The attacker is hoping for a lucky shot instead of gathering detailed information during the reconnaissance phase.

In the 2016 attack, the reconnaissance phase consisted of spear-phishing attacks, with well-prepared spoofed domains and documents falsified as from certain trustworthy corporate and public-sector organizations. These documents were weaponized with malicious macros to download and execute a variety of backdoor threats. From 2012 we know publicly of two major attacks on victims in the petrochemical industry. In 2016‒17 the attacks were focused on multiple sectors including public, petrochemical, finance but were intended to disrupt a single country: Saudi Arabia.

Weaponization

Once the adversaries gathered the credentials needed to weaponize the wiper malware component, they generally used accounts that would give the right amount of privileges to spread the malware as far as possible through the network. One interesting difference was that in the 2012 case that attackers also inserted default credentials of industrial control systems (ICS) equipment. Clearly the attack was aimed not only at the victims’ office networks but also attempted to disrupt the ICS environments.

In both cases, when the hardcoded date was reached, the wiper started to erase the disks. In 2012 the wiped machines reported to an internal control server that the destruction was a success. In the 2016 Shamoon samples, we found a control server component but to our knowledge it was not used to track the status of destruction.

In one URL parameter (also mentioned by our peers in the industry analyzing this campaign) we find an interesting word:

GET hxxp://server/category/page.php?shinu=ja1p9/

The word shinu can be translated to “what?” in Persian Gulf Arabic slang or “listen” in Farsi.

Until now we have compared the 2012 and 2016‒17 attacks. During our investigation and those by our peers in the industry, we have discovered many relations to other campaigns that used the same domains, whois registrants, or code. One of the examples we found was the reuse of code and exploits used in an attack by the Rocket Kitten group in spring 2016 and its reappearance in the 2016 Shamoon attacks.

A code excerpt from a macro used by Rocket Kitten since spring 2016:

A code excerpt from a macro used in a spear-phishing attack by Shamoon in 2016:

Our peers mentioned some other artifacts that referred to the OilRig campaign, in which Saudi Arabian organizations were targeted using Excel documents that included macros. The macros’ VBS code ran PowerShell and communicated via DNS tunneling.

From an operational security perspective—“How well do the attackers hide details or information about themselves?”—we gave them a low score in both campaigns. Although we saw some manipulation on purpose, for example, the resource language in the 2016 wiper was Yemeni Arabic (likely a reference to the political conflict in the region), and the “wiping picture” accompanied by a photo of the dead Syrian boy on the beach. Still plenty of information was left behind, for example, the reuse of infrastructure and code as well as program database paths in the malware that normally would be removed.

From a risk-analysis perspective, we would give the 2012 adversaries a certain score based on factors such as stealth, operations security, precision, and other factors. If we were to do the same for the 2016‒2017 attacks, we would award a higher score. For example, the attack precision increased due to using spear phishing with payloads instead of using noisy scanning and web shells. Also, the time of persistence in the networks increased compared with that of the 2012 attacks.

Due to the large scale of the attack in 2016‒2017, we saw mistakes in maintaining operational security. We strongly believe that this was caused by the involvement of different groups/individuals with different skills, whereas in 2012 we believe one group was responsible for the attack.

Development cycle

With five years between the attacks, we have likely seen a nation-state actor grow in cyber-offensive capacity and skills. Where once pirated software was used for vulnerability scanning, which can be easily detected by intrusion detection or prevention systems, we now find targeted spear phishing with weaponized documents. And instead of batch scripts, the use of PowerShell scripts and DNS tunneling demonstrates a major increase in the attackers’ expertise.

Note: We wish to acknowledge the efforts of McAfee’s Advanced Programs Group for that team’s extensive contributions to the actor and adversary part of this research.

In November 2016, we published a blog that drew comparisons between samples that we had received to that of the 2012 ‘Shamoon’ campaign. Since November, there has been a considerable amount of research corroborating our initial assertions, which we have reviewed against our own continuing analysis. We found that the latest Shamoon campaigns are attacking …

In November 2016, we published a blog that drew comparisons between samples that we had received to that of the 2012 ‘Shamoon’ campaign. Since November, there has been a considerable amount of research corroborating our initial assertions, which we have reviewed against our own continuing analysis. We found that the latest Shamoon campaigns are attacking a wider range of organizations, they are connected to other notable campaigns, and the increase in sophistication suggests investment, collaboration and coordination beyond that of a single hacker group, but rather that of the comprehensive operation of a nation-state. This blog, and the technical details (also now published) is a summary of our continued research into the comparison and growth of the attacks from 2012 – 2017.

A wider group of targets

In the original campaign, the targets were predominantly focused on the energy sector within Saudi Arabia. In the current instance, we have evidence that the scope of targeted verticals has widened from energy to the public sector, financial services, and others. Although the scope of targets has widened, all the samples we received targeted organizations in Saudi Arabia.

The approach taken by the attackers was all too familiar: once a target was identified, they used spear phishing email as the initial entry vector. From as far back as September 2016, the attackers sent these emails to individuals within target organizations. The messages contained Microsoft Office files embedded with macros, which facilitated back-door access to the organizations. With the necessary reconnaissance concluded, the actors initiated the weaponization of the attack with the intention of disrupting key organizations across Saudi Arabia:

Attack Wave 3: Began January 23, 2017, and ongoing, with similar samples and methods and TTPs as in Waves 1 and 2.

The process of wiping infected systems loaded a different image to the original campaign, but with the same devastating effect. The scale of attack—with multiple waves of attacks—suggests a coordinated effort to disrupt a nation that is new compared to the previous campaign.

Links to other campaigns

The linkage to the previous campaign was based on the fact that much of the code was the same; indeed our assessment concluded that there was a 90% reuse of code from the 2012 attacks. However, our examination of this reuse of code led us to identify code from other attack campaigns. For example, code used in the macros from the latest spear-phishing campaign was seen in attacks conducted by the Rocket Kitten hacking group, and the infrastructure used we identified as that used by the Oil-RIG campaign.

Although the current attackers may have connections with a particular nation-state, our analysis focused on the notable increase in the technical expertise since the 2012 campaign. For example, in 2012, the actors moved quickly in and out of the victim network, inflicting system-wipe damage and then disappearing. In 2016, the actors penetrated networks and established remote control to gather intelligence for future planned wiping attacks.

A broader community of collaborators

Based on these and other key differences, we strongly believe that the 2016-17 campaigns benefitted from the development effort of a much wider community of collaborating hacking groups. The recent attacks demonstrate greater technical expertise, yet the wide-ranging nature of the campaign involved many other actors that did not necessarily have the same level of technical expertise as other participants. Poor Operational Security procedures suggest that some parts of the attacks were executed by less experienced operators. Furthermore, it is true that malware can be designed to contain indicators that attribute their attacks to other actors.

Based on our years of investigation into the Shamoon attacks, we do not believe this misdirection tactic was used in the cases we examined.

Though we can argue about the term sophistication, one thing is clear. This campaign was significantly larger, well-planned, and an intentional attempt to disrupt key organizations and the country of Saudi Arabia.

Attacks on banks in East Asia and on corporations remind us that cyber espionage and system-wiping campaigns are not unique to the Middle East. Rogue state and stateless actors have been known to use similar cyber tools and tactics to achieve military and intelligence objectives they would otherwise be unable to accomplish. Actors such as these have been known to obtain these and other technologies from the black market, if not from each other directly.

To that end, there is no indication that the attackers will not come back again, and, as this latest Shamoon ‘reboot’ has shown, they will come back bigger and stronger again, and again.

Note: We wish to acknowledge the efforts of McAfee’s Advanced Programs Group for that team’s extensive contributions to the actor and adversary part of this research.

For details on this research, please see the McAfee Strategic Intelligence technical blog in Executive Perspectives.

Want even more information? Check out the Q&A blog on this topic and follow us on Twitter @McAfee.

]]>https://securingtomorrow.mcafee.com/business/shamoon-returns-bigger-badder/feed/0Rising to the Occasion as the New McAfeehttps://securingtomorrow.mcafee.com/executive-perspectives/rising-occasion-new-mcafee/
https://securingtomorrow.mcafee.com/executive-perspectives/rising-occasion-new-mcafee/#respondThu, 13 Apr 2017 19:00:48 +0000https://securingtomorrow.mcafee.com/?p=71504

As a new standalone company, there’s great opportunity in front of us to recapture our identity. And since our identity lies at the core of everything we do and all our interactions, this opportunity is going to help us reinvigorate both our employee and customer base. More importantly, it’s allowing us to rediscover what makes …

As a new standalone company, there’s great opportunity in front of us to recapture our identity. And since our identity lies at the core of everything we do and all our interactions, this opportunity is going to help us reinvigorate both our employee and customer base. More importantly, it’s allowing us to rediscover what makes McAfee great, as well as actively reclaim our role as a leader in the industry. But before we get there, we’re embodying a “make or break” mindset to guide us along the way as we go after cybercriminals, draw outside the lines, and work better together. And though the opportunity in front of us is great, we’re not intimidated. In fact, we will rise to the occasion. Here’s how:

Reclaiming a Leadership Role

Most players in the cybersecurity industry are ambitious and agile, including the new McAfee. In fact, as a new company, we have the opportunity to lead the pack when it comes to how the industry approaches cybersecurity innovation and leadership.

So, what will this leadership role look like for us? For starters, leaders push the envelope, and drive the market to deliver better products– which is exactly what we plan on doing. We’re also going to ask the tough questions, drive thought leadership, and come to the market with easily adaptable, unique technologies that deliver meaningful outcomes.

Make or Break Mindset

As a standalone company, we will succeed by living and breathing a “make or break” mentality. We are on our own now and it feels good but we recognize that with independence comes ownership and responsibility. We are taking this very seriously and through our commitment to our customers and the industry we’re going to prove that our claim to leadership is valid.

This mindset also hones our focus in on what we need to do to keep our customers safe. This has been part of the McAfee DNA since inception. Through the years, I’ve seen the mettle of this company tested. When adversaries have struck with merciless force against our customers, I’ve watched the men and women of McAfee rally, literally working around the clock to restore order.

That’s the thing that’s always amazed me about this company– nobody stands around and complains about the situation, they just ask how they can help and they get it done. Whether it’s for 1 customer or 500, our team stands up and make it happen. It all goes back to the passion we have for this industry. We can often make the difference between a customer coming out of a situation barely scathed, or coming out with a catastrophic issue. There is no better feeling than knowing you and your colleagues helped a customer through what could have been, or maybe was, their darkest hour. And as the new McAfee, we will continue to put our customers first by doing whatever it takes to make the customer base secure.

That mindset will also permeate how we innovate and look at problem-solving. We’re going to “draw outside the lines so to speak by looking at a multitude of ideas, inputs, and disciplines. Industry’s reinvent themselves by looking beyond how things are done today and by viewing the current reality through a different lens. The freedom and agility that comes from being a stand-alone business gives us the liberty to use a fresh approach to innovation and solution development. That Make or Break mentality will play a role here as well by driving us to adjust our solution development approach to the situation at hand.

However, it’s important to note, a company and its innovations won’t rise to the occasion unless individual employees do first. And a crucial aspect of standing strong as McAfee is standing together internally – which means taking pride in being a McAfee employee.

A Palpable Pride in the McAfee Family

McAfee is a family. At the end of the day, we’re all proud and grateful to be able to work for such an amazing organization. In fact, that pride ends up being one of our strongest assets, because when people feel that way within an organization, it’s palpable, especially to our customers.

Customers can tell when employees take ownership and are engaged, and it makes them have confidence in who we are as company. More importantly, it makes them feel safe. And at the end of the day, that is what we do.

]]>https://securingtomorrow.mcafee.com/executive-perspectives/rising-occasion-new-mcafee/feed/0Tearing Down Walls as the New McAfeehttps://securingtomorrow.mcafee.com/executive-perspectives/tearing-walls-new-mcafee/
https://securingtomorrow.mcafee.com/executive-perspectives/tearing-walls-new-mcafee/#respondWed, 12 Apr 2017 15:00:30 +0000https://securingtomorrow.mcafee.com/?p=71433

As we embark on our journey as a new company, we look towards our goals to help guide us along the way. Our north star? Collaboration. We want to tear down walls, because we know that we’re stronger together. But in order to do this, we first have to take the right steps to get …

As we embark on our journey as a new company, we look towards our goals to help guide us along the way. Our north star? Collaboration. We want to tear down walls, because we know that we’re stronger together. But in order to do this, we first have to take the right steps to get there, including opening up the dialogue with our customers that keeps education a top priority, and supporting each other internally. And with those acting as our guide posts, the new McAfee can continue to succeed in ensuring safety for all.

Listening to Our Customers

As the new McAfee, our defined position in the market will help us continue our strong communication and collaboration with our customers. An open dialogue is crucial for customer success, so it’s important that we continue to build out a unique and personal experience. That means we’re going to strengthen the listening posts we have for every point of the customer journey, so they feel supported while they navigate the cybersecurity landscape. We’re also now going to set up resources in a centralized fashion to approach customer response with a data-driven method. That way, we can capture the similarities we hear from customers and make them into something actionable, which in turn allows us to provide a more immediate and direct fix to the problem.
The good news is: this has already started to become second nature to us because of the precedent Chris Young has set. When it comes to listening to customers and taking action, he truly leads by example. He’s completely customer-facing, he listens to issues, meets regularly, and most importantly, he sets clear expectations around taking action on what people are saying.
He reminds us that a customer’s journey needs to be strategic, which means we also need to begin the customer journey with a strategy, as well. That’s where strong cybersecurity education comes into play.

Keeping Education Top of Mind

We are in an industry that is charged with securing the lives of people who are dealing with complex problems. And unfortunately, a lot of our customers want to fully understand the problems they’re facing, but can’t.

Therefore, these customers are relying on us to tell them what they don’t know, and more importantly, what they need to do to stay safe.

That’s why the new McAfee is focused on making things simple, smooth, and easy for customers to understand. We want to break cybersecurity down in a way our customers can easily grasp and translate to their own lives. That way, cybersecurity becomes less intimidating and just second nature to them. To accomplish that, we’re going to constantly stay one step ahead by knowing what threats and technologies are on the horizon.

Teamwork Like Never Before

As the new McAfee, we’re experiencing a culture shift that’s allowing us to streamline and optimize our efforts as a team. We’re now better supporting each other, using everyone to the best of their ability, and keeping everyone accountable for their actions. The result? Teamwork like we’ve never seen before.

That’s because we know this is all of our responsibility, and with that responsibility comes a sense of pride and ownership that is engrained in the fabric of McAfee. We’re proud that we get to positively impact so many lives, and we’re proud we can do that as a McAfee employee.

When you meet a McAfee employee, any employee, you see this sort of blue collar mentality that drives the way they work. Everyone is ready to get their hands dirty, do what they have to do to get it fixed, and get it right. We’re doers, and our customers know that. In fact, they’re counting on it.

Our culture has an edge to it. We’re not afraid to try new things. As of right now, we’re “the new McAfee” too. Put all of that together and what you end up with is an opportunity to define how we want the world to see us. That’s a big statement, and I’m well aware …

Our culture has an edge to it. We’re not afraid to try new things. As of right now, we’re “the new McAfee” too. Put all of that together and what you end up with is an opportunity to define how we want the world to see us.

That’s a big statement, and I’m well aware of it. To me, our speed, flexibility, and willingness to take calculated risks are cornerstones of our culture. It only makes sense that we should extend those qualities to our posture in the marketplace. That way, our customers and partners will know, without a doubt, who we are and what we stand for. By establishing the posture we want through our products and our actions, our company can make a strong stance—as the go-to source for anyone who wants to stay safe online today.

Speeding Up Our Position in the Market

When keeping people safe today, a major consideration is speed. Just as we’re quick and agile as an organization, we can easily say the same for security threats that we’re fighting. Likewise, consumers are starting to realize that cybercriminals are not just after their PCs anymore—they’re now after their connected devices like wearables and smart assistants too. As the customers’ threat surface rapidly expands across their networks, criminals are quickly exploiting it. That means that we have to operate even faster than before, all while bringing better applications and solutions to market that respond to, and even anticipate, this new breed of threats.

Opportunities like that are exciting, and they allow us to achieve our goals as a company, like be the undisputed leader when it comes to protecting consumer’s devices in the digital world and a visionary when it comes to providing protection. Today, we protect more than 250 million people a day with our consumer products, but our long-term goal is to protect more than a billion per day. And as the new McAfee, we’re in the best position to achieve that goal.

Forging Stronger Partnerships

A new posture also makes a lasting impression on our partners. Another business goal of ours is to bring the marketplace together through collaboration, which aligns with the notion of “Together is power.” The current threat landscape is an evolving challenge for everyone, and thinking that we’re going to solve it all by ourselves here at McAfee is unrealistic. It’s time the industry be more open and collaborative with one another, because if we can bring more heads together, we can bring better technology to the table. That also requires us to forge smart partnerships, like we’ve done with Arris for the Secure Home Platform and with Samsung by securing more than 20 million Smart TVs. As McAfee, we have new factors and capabilities to support our partnerships in different ways than we’ve ever done in the past. By recognizing that we all have a shared interest in keeping people safe, and by supporting our partners with our agility, speed, and ability to innovate, we both can benefit in the form of a happy and secure customer.

A new posture in the new McAfee benefits so much more than ourselves. It can benefit anyone who wants to be more secure and any business that wants to make a stand in the fight against cybercrime.

For me, the best role in a company is CFO. A work colleague once summed it this way, “The CEO is the heart and soul of the company, and the CFO is the central nervous system.” As a CFO, you receive impulses from across the organization to gain insight on the implications of decisions and …

A work colleague once summed it this way, “The CEO is the heart and soul of the company, and the CFO is the central nervous system.” As a CFO, you receive impulses from across the organization to gain insight on the implications of decisions and then develop plans based on those signals … to improve efficiency and returns for your stakeholders.

McAfee has immense heart and soul in Chris Young. His vision for this company and passion for securing the public’s online presence is inspirational. In fact, it’s his leadership and vision that first drew me to join McAfee a few months ago.

I’m excited to come in as the organization’s first CFO in a few years. It is truly an honor to inherit and enhance a world-class team across the groups I am lucky enough to lead. And, I must admit being the central nervous system to a 7,000-employee startup in the hottest industry around is really cool.

While my new job and the beginnings of McAfee as an independent company are exciting, there is a lot of work ahead of us. First, we’ve got to stand up and operate as an independent company. We need to book, bill, collect, invoice and close the books starting after April 3rd. In addition, our critical teams in IT, Procurement, Supply Chain, Facilities and Real Estate have a huge amount of activities related to the stand up of McAfee and are critical to our success.

Next, we must ensure our day-to-day operations of an independent McAfee drive profitable growth. We owe it to all our stakeholders to drive growth and increase our cash flow and profitability. Luckily, we are beneficiaries of an established company, brand, business and team. It is up to us to leverage the strong foundation we inherited into increased shareholder return.

We must also continue to drive our strategic transformation as one of the largest pure-play cybersecurity companies in the industry. Innovation is the life blood of any technology company and this is especially true in an industry where our adversaries are constantly finding new and insidious ways to attack. Whether it’s in Finance, Procurement, Supply Chain, Facilities, Real Estate or IT, the teams that I lead are committed to doing our part to help drive innovation – from operating more efficiently to ensuring proper resource allocation.

Most importantly, we must enable a culture of success and high-performing teams. We’re creating an environment where teams can thrive. Together, we’ll work hard for shared success and push one another to reach new heights.

I am honored to be the CFO of the new McAfee and am really excited about working with such a great group of fellow employees as we show the world that Together is Power.

It is no secret that the end goal for cybersecurity companies is to battle cyber-threats & cyber-attackers in order keep their customers assets and data safe. Easy, right? Well, the problem is that defenders must move faster than the attackers, than the changes in the underlying technologies evolve, and faster than the power of tools …

It is no secret that the end goal for cybersecurity companies is to battle cyber-threats & cyber-attackers in order keep their customers assets and data safe. Easy, right? Well, the problem is that defenders must move faster than the attackers, than the changes in the underlying technologies evolve, and faster than the power of tools used by the attackers. That is extremely difficult to achieve if you try and do it by yourself in isolation, no matter your size or skills. Today’s cybersecurity juggernauts have tried to go about this in silos, which slows innovation in an industry that needs to evolve faster than the cybercriminals.

We’ve innovated in silos too. But no longer. With the launch of the new McAfee, we believe that #TogetherIsPower and are focusing on better collaboration to more quickly unlock the potential in our company and in the industry.

This collaboration comes in two forms: uniting across the industry in the fight against cybercrime and working together with our customers to better understand how to protect them. Both result in stronger, more innovative ideas, and ultimately, in better solutions to tricky security challenges.

Uniting the White Hat Fight

Silos have left the cybersecurity industry out of breath as it chases after inventive cybercriminals, desperate to catch up to their newest malicious innovations. And though partnerships like the Cyber Threat Alliance and technologies like McAfee Open DXL are great first steps, they’re just the beginning of an important movement. That’s where the new McAfee comes in: our new company allows us the freedom and agility to share knowledge, utilize the entire cybersecurity ecosystem to our advantage, and expand on existing partnerships and programs. There’s a difference in execution speed as well, since the new McAfee can now forge new partnerships at a faster rate than ever before – giving us a better chance at quickly tackling the newest cyber threats. Through these partnerships, white hats will begin to catch up with black hats.

Finding Strength in an Open Dialogue

Collaboration will also be a cornerstone of our customer relationships.

Our customers are the driving force behind our innovation, so it is critical that we understand their security challenges and where they see cybersecurity risks. Deeper dialogs will help generate new ideas, build stronger solutions, and solve problems more effectively.

Driving Evolution Forward

It is this dedication to collaboration – within the industry and with our customers – that defines what the new McAfee stands for as a company. We are excited about the new McAfee: a company that continues to grow, change and adapt; one that works endlessly to create better ideas, better products and better security.

For more information, follow us at @McAfee_Labs and @McAfee, and join the conversation with #TogetherIsPower

By now you’ve heard the news: Intel Security has officially rebranded to McAfee. But even though our company name has changed, our values and mission continue to endure: our focus remains on educating our customers through valuable content, collaboration within the industry to share intelligence, and leading in security initaitves and innovations. Ultimately, we’re dedicated …

By now you’ve heard the news: Intel Security has officially rebranded to McAfee. But even though our company name has changed, our values and mission continue to endure: our focus remains on educating our customers through valuable content, collaboration within the industry to share intelligence, and leading in security initaitves and innovations. Ultimately, we’re dedicated to not just maintaining, but bettering, what makes us who we are, as we face the most diverse and advanced threat landscape we’ve ever seen.

Creating Valuable Content

Unfortunately, public understanding of cybersecurity as a whole is still lacking. Why? For starters, whenever there’s a major breach, the conversation is focused on the malware behind it, not the overall impact. So users are left asking “so what?” thinking it has nothing to do with their daily lives.

It is clear that there is work to be done when it comes to addressing, analyzing, and educating the public on the current risks that exist in their digital lives. This why we’re sharpening our own threat intelligence content, so that we can start answering the “so what?”

We want to address those issues in a valuable way. So, we’re looking to develop content that is both interesting and relevant. The good news is– with the new McAfee brand, you’re only going to see more of this, as we’re going to keeping driving home content that communicates the what and the why, not just the how.

To accomplish this, we have a team of researchers dedicated to specific threats across different research categories. Ultimately the responsibility for security firms go beyond simply the provision of technology, with a need to articulate emerging risks to an audience that do not understand the value of information

Sharing is Caring

But it not just up to us. This is a responsibility that rests on the shoulders of the entire industry—and with the new McAfee, we compete by collaborating.

Efforts like the CTA (Cyber Threat Alliance) hold us all to this sense of shared responsibility, and with it we can hold our heads high. But it’s just the start. We will continue to push forward when it comes to things like openly releasing research the recently released CHIPSEC framework being the most recent example. Also, the decryption tools made available through the NoMoreRansom site, as well as many other examples.

Staying True to Who We Are

Integrity is a core component of what we do as an industry, and what we do as a company. So no matter what next initiative or innovation we drive, we maintain integrity in everything we do.

It’s like we said before, our name may change, but our mission – and what guides that mission—doesn’t.

Follow us on @McAfee and join the conversation about the new company with #NewMcAfee

It’s not often we get a chance to work on something truly amazing. To be a part of something new. But this week marks one such occasion. It’s a re-invention of one of the industry’s best known names. For someone like me who’s been around a few years, this is a great opportunity to help …

It’s not often we get a chance to work on something truly amazing. To be a part of something new.

But this week marks one such occasion.

It’s a re-invention of one of the industry’s best known names. For someone like me who’s been around a few years, this is a great opportunity to help shape a company from the outset and try new ideas. I know that this is the kind of chance that comes only once or twice in a career.

Added to that is the fact that our industry – cybersecurity – is growing and moving faster than any other segment of IT. And McAfee is right in the center of what’s happening.

I don’t need to re-quote figures on the problems with cyber-attacks and security threats on the Web. It’s something we are all aware of. All you have to do is read a news site or pick up a newspaper. Security is probably the biggest challenge of the Digital Age.

Last year we introduced 18 new products. Organically. We developed four integrated security systems. We moved forward, fast, on our industry partnerships, which are now over 125. And we surprised the industry by open-sourcing DXL.

We are working in a special organization — one of the largest pure-play cyber security companies in the world — with a fantastic team of over 2,000 engineers, at a time when what we do is needed by the world more than ever. So it’s time to pause (just for a minute!) and reflect.

Chris envisions McAfee as the most respected, most trusted brand in cybersecurity. When we become the company we know we can be, we’ll be our customers’ #1 partner.

Today we introduce a ‘new’ McAfee to the world. It’s the right move at the right time. Not only for us, but for the global cybersecurity industry. We have a clear roadmap to lead in innovation, and an opportunity to shape the marketplace as never before. The headlines we drive today span many dimensions. We …

Today we introduce a ‘new’ McAfee to the world. It’s the right move at the right time. Not only for us, but for the global cybersecurity industry. We have a clear roadmap to lead in innovation, and an opportunity to shape the marketplace as never before.

The headlines we drive today span many dimensions. We represent a new brand promise, we offer a new pledge to our stakeholders and to one another, and we have a new view into growth. It’s our time to show the world not only who today’s McAfee is, but who tomorrow’s McAfee becomes.

At the same time, many things remain the same—starting with our strategy and our unwavering commitment to company objectives. The standup of our new company continues in the coming months. Thank you for your support to this point, but there’s more to do. Our independence is foundational to our continued strategic transformation. We’ll also keep our focus on the fundamentals of driving profitable growth—you’ll recall we created an independent company with growth as a central tenet. Finally, a culture of success and high-performing teams are essential enablers of everything we’ll accomplish in the future.

This constancy of purpose is essential because our challenges are stubbornly durable. Cybersecurity becomes increasingly complex every year, and with every wave of new attacks on innovation. I believe what we do as the new McAfee matters more than ever, not only to our individual success and career satisfaction, but to the wider world, and the hundreds of millions whose digital lives we protect.

That’s why we’re taking the lead and promoting important cultural changes in cybersecurity. In essence we’re dramatically re-shaping the ways our solutions are procured, implemented, and managed. We’re also the force behind a new conversation in cybersecurity, one that sensibly acknowledges the need for true collaboration and genuinely celebrates the power of working together.

You now represent the newest brand in cybersecurity. You can be very proud of everything you’ve done to bring this company to this milestone—we stand quite literally at the threshold of our future. Yet even as defining as our future will be, I do feel it’s important that we proudly take with us from today all the good that we created in the past.

As McAfee we’re going even further, faster. Independence is the best way for us to build more of what the industry needs now. Our timing couldn’t be better because we’re now wholly focused on our customers’ cybersecurity outcomes. There’s nothing to divide our attention. As an independent company we have the freedom, the power, and the responsibility to innovate as never before. Our new financial foundation and growth plan, made possible by McAfee’s new stakeholders, equips us to invest in ourselves and makes us a sustainable partner for the consumers, corporations, and organizations we’re pledged to protect.

Today is an exciting milestone, but it will come and go in a flash. Today’s equally exciting story is what comes next. We’re in this for the long haul and we intend to do real battle—not only with our adversaries, but with our competitors. Job one is to become the most respected, most trusted brand in global cybersecurity.

It’s a goal I’m proud to rally behind. And I’m proud to share the future with you.

In one of the most iconic self-help books of all time, How to Win Friends and Influence People, Dale Carnegie outlines several strategies to earn favor from others. Among them is recognizing that a person’s name is, to that person, the sweetest sound in any language. I’ll posit a reason: Your name is your first …

In one of the most iconic self-help books of all time, How to Win Friends and Influence People, Dale Carnegie outlines several strategies to earn favor from others. Among them is recognizing that a person’s name is, to that person, the sweetest sound in any language. I’ll posit a reason: Your name is your first sign of identity to the world. It’s deeply personal. It connotes meaning. Over time and with familiarity, it becomes directly associated with your completely unique essence. In short, names matter.

As a lifelong marketer, I’ve been fascinated with how a company’s brand name can have the same impact. Over time, a strong brand becomes inextricably linked to a company’s identity. The moment you recognize a brand, your experiences and perceptions of that company are resurrected. In the same way your name immediately brings to mind what others who know you already think of you, recognized brands have the same effect for their companies. In short, brands matter.

And so, when we announced that, after six years with Intel Corporation, we would once again strike out on our own as a standalone company, the obvious question arose: What will be our name? We clearly had two choices: Keep the McAfee name, one that had remained part of our brand architecture even through our history with Intel, or lose it and chart a path under a completely new identity. To make the right choice, we had to take an honest assessment of how the name, McAfee, resonated in the market. And, we asked thousands of organizations and consumers around the globe to do just that.

What we found is that McAfee is synonymous with cybersecurity itself. It’s one of the first brands in this dynamic category that has maintained a 30-year history in protecting the digital lifestyles and assets increasingly important to all. That’s a powerful connection that holds true no matter the geography or segment in which we tested it. It’s a linkage that is so prevalent, the choice to keep the McAfee name became obvious.

Yet, at the same time, we had to realize that we are no longer the same McAfee we were 30 years ago – no more than you and I are the same people we were as children. Like you and me, McAfee has grown up. And, as a nod to that maturity, we knew we had to create a new McAfee brand to accompany a trusted name.

Again, that brand is rooted in research, which reveals that our industry is in desperate need of cybersecurity companies working together to defeat adversaries. Indeed, the digital freedom we tend to take for granted is dependent on it. With that, we expose our brand essence – Together is Power. It’s more than a slogan. It speaks to our fundamental worldview: Only by working together can we collectively address the greatest digital challenge of our time – cybercrime.

And, to signal that the McAfee we proudly launch today is equal parts time-tested and future-leaning, we unveil a new logo as the visual symbol of our identity:

It’s a shield – the undisputed symbol for defense.

It’s comprised of two interlocking elements – representing the power of unity when individuals and organizations work together toward a common goal.

It respectfully acknowledges our heritage – from the classic red color to the carefully placed “M” that frames the shield itself.

Today marks a new chapter in our company’s history – one made possible only by the loyal customers, partners and employees who created it. You helped give us our name. You voted with how you perceive our strengths and where we must continue to do better. We’ve listened. The brand we release today is not ours to own, as only you can bestow its value. And, channeling the guru Dale Carnegie himself, we will tirelessly fight to continue earning your favor.

Mobile World Congress has come and gone. With over 100,000 attendees at the show, people gathered around the impressive booths to get a glimpse at what the world’s biggest mobile brands had to offer in 2017. There was definitely a theme of nostalgia at play with the highly anticipated return of the classic Nokia 3310 …

Mobile World Congress has come and gone. With over 100,000 attendees at the show, people gathered around the impressive booths to get a glimpse at what the world’s biggest mobile brands had to offer in 2017.

There was definitely a theme of nostalgia at play with the highly anticipated return of the classic Nokia 3310 (including Snake!), as well as other exciting and impressive device launches from the likes of LG and Sony.

But walking around the show floor and talking to people over the course of the four days, it became clear it was not the devices taking centre stage, but in fact 5G. Everywhere I looked I saw companies shouting about being at the ‘cutting edge of 5G’.

Now, 5G was definitely on everyone’s radar at last year’s MWC, but this year it felt slightly more real. In fact, Mats Granryd, director-general of GSMA, even said ahead of the show: “We will move away from being vague on the prospects of 5G this year to concrete proposals.” And he was right, we saw this from many of the big mobile players at the show fighting to be seen as being at the forefront of 5G. Because this ‘transformative power’ is no longer just a hype, but set to become a reality in the next few years.

And as exciting as 5G is – and it is incredibly exciting – I’m also concerned about its arrival. Because with 5G comes a world of vulnerabilities – a world of security vulnerabilities that no one seems to be discussing or addressing in their proposals. With 5G comes download speeds of up to 10 gigabits per second (that’s 1,000 times faster than the current US 4G average), but what that also means is thousands more devices introducing more vulnerabilities into a world already struggling to deal with the countless devices flooding the internet.

Our recent Mobile Threats Report found more than 4,000 potentially malicious apps had been removed from Google Play, and 500,000+ devices still have these apps actively installed, putting users’ security at risk. This is happening now in a world of 4G, highlighting the fact that there are existing security issues that we must address before we should even consider bringing 5G to consumers.

As we veer closer to a world of 5G hyper connectivity, we must not forget security. And OK, it may not sound like the sexiest part of the ‘5G revolution’ but it has a huge role to play, and my mind will not be at ease until we start to address it. Because 5G will be an ‘evolution’ and the sooner security is considered the better for all of us.

In the coming months, I hope to see these very companies touting about how they are revolutionising our worlds with 5G telling us how they plan on addressing the security and privacy implications that come with it. It’s key that our safety and security is considered first.

There’s no question that cloud services are now a regular component of IT operations. And while this is great news for business users and developers who appreciate the agility and increased productivity offered by cloud services, security professionals are getting nervous. Just about everyone in this line of work knows that all the excitement over …

There’s no question that cloud services are now a regular component of IT operations. And while this is great news for business users and developers who appreciate the agility and increased productivity offered by cloud services, security professionals are getting nervous.

Just about everyone in this line of work knows that all the excitement over adoption of cloud applications has spawned Shadow IT (the use of unsanctioned cloud services). However, most security teams lack the ability to discover what cloud services employees are using, what corporate data is being stored in the cloud, and who has access to the data. That’s a problem.

Intel Security has begun to roll out our response to this issue: McAfee Cloud Visibility – Community Edition (CVCE). It is our first of two entries into the cloud access security broker (CASB) market. McAfee Cloud Visibility is a free service for existing customers with McAfee DLP, encryption or web protection technologies.

This solution comes at an important time. Cloud services are now utilized by more than 90% of organizations around the world. In fact, many are working under a “Cloud First” philosophy, only choosing to deploy an internal service if there is no suitable cloud variant available. As a result, IT architectures are rapidly shifting to a hybrid private/public cloud model, with those surveyed expecting 80% of their IT budget to be cloud-based within an average of 15 months.

We think McAfee Cloud Visibility is the answer to these issues — it enables security professionals to:

Discover authorized and unauthorized cloud applications used by employees.

Identify risk associated with cloud applications based on risk indicators.

So, rather than fret about lack of cloud visibility or concern yourself with justifying the expense of a CASB solution, check out the McAfee Cloud Visibility—Community Edition solution at www.mcafee.com/cloudvisibility.

Walking this year’s Mobile World Congress I am no longer thrown by the devices, gadgets and flashy booths, but completely mystified at how we as an industry continue to hype up the idea of a truly connected world without addressing one of the most important pieces – security. As someone who’s been in the industry …

Walking this year’s Mobile World Congress I am no longer thrown by the devices, gadgets and flashy booths, but completely mystified at how we as an industry continue to hype up the idea of a truly connected world without addressing one of the most important pieces – security.

As someone who’s been in the industry for almost 20 years, you’d expect me to be shocked that many businesses still aren’t addressing something so key, especially as consumers are starting to question it. In the last year, more people than ever have started asking me: “So Raj, what about my security?”

Hurrah – finally – some people are catching on, and at least asking the question. But whether or not they’ll act upon it is what concerns me…

Don’t get me wrong. Whilst it’s great some people are waking up to the realities that come with a connected lifestyle which, let’s admit is everyone at this stage, there is still a lot of work to do. Ultimately, it’s the industry’s – that’s right, every single person at MWC and beyond – job to lead this.

Because at the moment we’re failing. Our recent survey, for example, found half of us have no idea how to check if our devices have ever been compromised and a third are unsure how to check if a device has been breached. So although many may be starting to consider device security, it doesn’t mean they necessarily know how to manage it. Yet, here we are at MWC giving these same people even more technologically advanced devices to play with – when we know most are unsure how to protect themselves – whether that’s with their phones, computers, kids toys, or now – connected homes and cars.

The truth is that with awesome technology comes great responsibility. So what do we – both consumers and businesses alike – do to ensure that such technology coming out of big shows like this are safe?

Put security first: security cannot be an afterthought in any device manufacturing process. It must be considered upfront by manufacturers in order for any underlining issues to be addressed and catered to

Be transparent: enough of the hiding, let’s be honest with consumers about the risks associated with using certain technology. Instead of hiding away and hoping it’s all ok, vendors must at least educate and advise the user on how to best protect themselves including recommending security software suitable for that technology

Take control: whilst I want to see manufacturers leading the way when it comes to security, consumers can and should do their bit too. Take device security at home for example where the home network is the hub for all connected devices. New solutions, such as McAfee Secure Home Platform, will help people easily manage and protect devices connected to this network while providing parental controls with permissions that can be tailored to the entire household

We must be able to trust the new technology that’s making our world a hyper-connected one – as inventors, product developers, manufacturers, technology leaders from the word ‘go’ in our development cycles, through to the consumers’ lives when they use it. Trust has fallen down across our societies because of all the security hacks, risks and wider vulnerabilities that technology has opened up. It’s our job – each and every one of us – to help change that via our actions as an industry. Let’s continue producing amazing and innovative technology that helps change and advance our lives, but let’s protect ourselves – our friends, our economies, our neighbours and the wider industry – while we do. The more we can work together to build this trust, the better off each technology will be for everyone.

Mobile World Congress (MWC) provides yet another opportunity for technology giants to flex their muscles and whip the industry into a frenzy. Even more-so than last year, mobile is a reflection of the Internet of Things (IoT) and the hyper-connected world we find ourselves living in. Following in the footsteps of CES, I expect to …

Mobile World Congress (MWC) provides yet another opportunity for technology giants to flex their muscles and whip the industry into a frenzy. Even more-so than last year, mobile is a reflection of the Internet of Things (IoT) and the hyper-connected world we find ourselves living in. Following in the footsteps of CES, I expect to see a heavy focus on ‘smart’ technology as everything from hairbrushes to fridges and even pregnancy tests look to receive an IP overhaul.

But as companies battle to stay ahead of the competition, racing to bring innovative products to market, many are stumbling when it comes to security. And I’m worried.

In the last year alone, some of the worst IoT vulnerabilities have come to light, with the security of connected cars and even pacemakers being called into question. Never mind the threat of identity and financial theft, if cybercriminals are able to hack and control these objects, consumers’ physical health and safety could be at risk.

Traditionally in the automotive industry, for example, every aspect of the car would be rigorously tested to ensure drivers and passengers are as safe as possible. However, we haven’t seen the same stringent approach taken to protecting our increasingly computerised cars from hackers. Although driverless cars may not be mainstream, research from McAfee suggests 78% of new cars will be connected to the Internet by 2022 and therefore open to potential security breaches.

The lack of importance placed on cybersecurity has filtered through to consumers and is reflected in attitudes to data protection in connected devices. People wouldn’t dream of driving a car off the forecourt without seatbelts, yet they’ll happily invest in the next flashy car without knowing whether it has adequate cyber security in place.

MWC is the perfect platform for influential figures within technology and the wider industries such as health and automotive, which are investing heavily in connected devices, to discuss the ramifications of our increasingly connected world. We must continue to innovate, but we also have to work together to ensure that the latest technology doesn’t put consumers’ data or safety at risk. As an industry, we need to develop strict standards for manufacturers, with clear consequences for falling short of these standards.

Consumers also have a responsibility to drive change. If consumers refuse to buy products that are not properly secured, companies developing such products will start to take note and we’ll see security becoming more of a priority.

Data security is not a trend, it’s an ethical issue that holds the potential to impact us all if not taken seriously. With 5G on our doorsteps, hyper-connectivity will soon be a reality and more data than ever before will be transferred across networks via millions of devices. It’s imperative that we get security right and ensure products do not pose a threat to users.

As my colleague, Chris Young, said at this year’s RSA, “we have to start thinking of ourselves as smaller players in a bigger fight… we’re better when we link arms with like-minded partners, intent on the same goals.”

But if further collaboration is too much to ask, the Hippocratic oath is a simple philosophy that those involved in developing our connected world would do well to take note of: ‘help, or at least do no harm’.

I just left the keynote stage at RSA 2017, where I called on a very large audience—more than 40,000 attendees in the hall or watching screens throughout the Moscone Center— to re-think the future. I argued that while cybersecurity and potential threats against the digital experience have never been bigger, current defensive measures aren’t working. …

I just left the keynote stage at RSA 2017, where I called on a very large audience—more than 40,000 attendees in the hall or watching screens throughout the Moscone Center— to re-think the future. I argued that while cybersecurity and potential threats against the digital experience have never been bigger, current defensive measures aren’t working. Tomorrow demands a different response from all of us, starting today.

We need to think small.

At RSA 2016 I wondered aloud how we would handle a cyber disruption of the presidential vote. Twelve months later it’s clear that cybersecurity was front and center in our country’s national election. After all, data drives decisions and the election reminded us that decisions write world history. Specifically, stolen and manipulated data was commissioned to assassinate character and disrupt democracy. While I’m not questioning the outcome of the election, I am pointing out that cyberattacks played a real role. It was a case of data manipulation intended to mislead decisions on a grand scale.

But let’s put politics aside. This manipulation of data matters in a broader discussion because data is the bedrock of our economy. We rely on big data to drive decisions, so the small data going into our big data models must have full integrity. When it’s manipulated, it’s turned into a weapon and used against us. Big data isn’t the problem, but when big data becomes bad data, then small data is the big story. Weaponized data is the next threat vector challenging all of us in cybersecurity. In fact, I submit that weaponized data is the newest form of advanced persistent threat.

Of course, data isn’t the only thing being weaponized.

Securing the digital experience is a tall order, especially when it comes to the organizations we defend. Not long ago we focused on protecting an individual device, then one network, then a single enterprise. But I’d argue today that we need to turn our focus from a large attack surface to a small one—the home, and we should care about this smaller target for two reasons. One, it’s increasingly where many of us work, on whatever device we have in hand. And two, it’s our connected devices in the home that are now used to launch larger, more sophisticated attacks. Last fall’s Mirai attack on Dyn is a perfect example.

Mirai enslaved a vast botnet of household devices (including security cameras, ironically) to wreak havoc. While we could think of the attack on Dyn as just one more DDOS, I believe our adversaries were just testing the limits of our capabilities. It’s no coincidence Mirai is Japanese for ‘future,’ because the Mirai threat is alive and well—it points to where we’re headed. You have to ask yourself, will it find the IoT devices it needs in your home? Or will it enlist soldiers for its botnet army from the homes of your employees? The smallest of technologies are being turned against us in the biggest of ways. How do we make sure the Internet of Things doesn’t become the Internet of Terrorism?

It’s a strange irony. What we once protected, we must now be protected against. We’ve given the enemy the ultimate scale they need by connecting our homes and deepening our reliance on data, even as both are weaponized. What’s our call to action when the game has changed so dramatically? We need to flip the script.

We have to start thinking of ourselves as smaller players in a bigger fight—players that collaborate generously in a vast, largely open ecosystem. We can begin by integrating best-in-class features from numerous cybersecurity providers across a shared communications fabric. On the RSA stage I announced OpenDXL (Data Exchange Layer) to the wider industry. It’s a free, open solution to share intelligence and orchestrate security operations across thousands of tools we all use. Go to GitHub today and download the SDK. It’s our small contribution to the industry, and just one example of numerous ways in which we can truly work together to drive the outcomes we need.

To put it in its simplest terms, cybersecurity needs a Dream Team. Like the NBA players who took gold in basketball at the 1992 Olympics, we need to check our egos at the door. If big names like Michael Jordan and Magic Johnson can put aside their drive to compete, all in order to win the bigger prize, surely we in cybersecurity can follow their example. We’re better when we link arms with like-minded partners, intent on the same goals. It’s a small idea that can have a big impact.

Let’s work together.

The author is senior vice president and general manager of the McAfee.

The escalation and sophistication of cyber threats is very real. So are the challenges associated with having too many siloed security tools. Rather than compounding complexity and inefficiency by using products that don’t work in unison or communicate with each other, McAfee made a fundamental shift in how we engineer solutions, moving from point products …

The escalation and sophistication of cyber threats is very real. So are the challenges associated with having too many siloed security tools. Rather than compounding complexity and inefficiency by using products that don’t work in unison or communicate with each other, McAfee made a fundamental shift in how we engineer solutions, moving from point products to integrated systems that deliver better security outcomes.

Protect, detect and correct are better together

As Candace Worley suggested in her blog last fall, some things are simply better together! Integrating the threat defense builds the best protection possible, finds and contains advanced threats, and rapidly remediates them, while adapting to do a better job blocking the next threats. Quite simply, organizations with integrated security are 30%1 better protected.

At the endpoint, McAfee provides this advantage through our new solution – Dynamic Endpoint Threat Defense. This multi-stage solution outsmarts even the savviest cyber threats and emerging malware, including ransomware. By leveraging the cloud dynamically to drive threat detection and analysis, and automating the Threat Defense Lifecycle, it shortens the window of vulnerability and makes it easier for endpoint administrators to focus on critical tasks.

Integrated, multi-stage protection improves efficacy

Not only is Dynamic Endpoint the only solution built on a connected platform, it’s also unique in the way it provides pre- and post-execution analysis powered by proven machine learning (Real Protect), greyware containment (Dynamic Application Containment) and native endpoint detection response (Active Response). This solution uniquely addresses the entire Threat Defense Lifecycle with a single agent and console. It allows multi-stage protection to share insight as it stops malware across each stage:

Before it reaches the endpoint

Before it executes

While it executes

After it executes

McAfee Labs tested ENS 10.5, with Real Protect, vs ENS 10.2, and demonstrated a 34% higher detection rate. Most importantly, our tests confirmed its ability to stop zero-day malware, like ransomware, and secure the endpoint BEFORE the threat can infect the host. The advantage is further illustrated by private third-party real world testing conducted by AVTest showing perfect efficacy scores in 3 consecutive rounds.

Beyond the initial test results, customers are also sharing their enthusiasm for the new solution.

“Not only does ENS handle the ‘commodity’ threats that can significantly occupy team resources, it now gives us even stronger advanced threat detection, protection and visibility.” – Large Manufacturer

ENS 10.2 has had the fastest endpoint adoption in history

Even simple upgrades are no small task for large organizations. However, since the release of Endpoint Security (ENS) 10.2 in August 2016, we have seen more than 2.5 million nodes already migrated, including a full 100K+ node environment. This rapid adoption represents the fastest adopted endpoint release in McAfee’s history. With over 80% of our installed base already on ENS-ready ePO versions, and more than half engaged in planning and deployment, we anticipate the adoption record being shattered during 2017.

For those interested in migrating to ENS 10.2 or 10.5, we’ve created a migration assistant to educate and aid customers while they migrate their data to the new platform. Automatic migration can create new policies and client tasks based on your current product settings and automatically assign them to groups and managed systems. For more information on migrating, visit www.mcafee.com/movetoens.

Native EDR closes the window of vulnerability

Built on the same connected architecture, using the same agent, and same ePO management console, Dynamic Endpoint includes endpoint detection and response (EDR) capabilities. Instantly, you have all the information necessary to detect, convict and remediate a threat in seconds rather than days or weeks. Using one-click actions, it’s possible to delete a malicious file from a single endpoint or across the entire organization; or, immediately update protection across all connected components based on the insight from the investigation.

“Active Response 2.0 definitely saves time. The modern workspace makes remediation much faster. Specifically, the speed to search, gather information on a threat and take action is done in mere minutes.” – Large Bank

Dynamic Endpoint breaks security silos to create a closed-loop system

Unlike other security vendors, McAfee provides a connected platform with integrated tools delivering better protection while preserving the most valuable resource – time. Our Dynamic Endpoint integrates with other McAfee products as well as third-party products through DXL, the industry’s leading (now open source!) threat sharing infrastructure. This allows users to automatically adapt defenses to stay ahead of emerging threats, using a connected infrastructure prepared for the future, rather than merely layering components.

Dynamic Endpoint Threat Defense is an integral part of McAfee’s core strategy, which was introduced at FOCUS ’16. Just as I emphasized in the Automating the Threat Lifecycle blog last year, we are committed to using integration, automation and orchestration to help users address more threats, faster, with fewer resources. Join us, and see for yourself!

1Penn Schoen Berland. Research on behalf of McAfee, 2016

Brian Dye is Corporate Vice President and General Manager of Corporate Products at McAfee.

I’m pleased to announce Mike Berry is joining McAfee as our Chief Financial Officer. Mike’s been a CFO for more than 10 years in both public and private technology companies. Mike most recently was Executive Vice President, Chief Financial Officer, and Chief Operating Officer at FireEye, responsible for worldwide finance, accounting, data analytics, investor relations, …

Prior to FireEye, Mike served as Chief Financial Officer of Informatica. Additionally, he led finance and other operations for a number of technology companies, including IO, SolarWinds, and i2 Technologies.

I’ve known Mike for a while now—we served together on the board of directors of Rapid7. He understands the complexity and challenges of our industry, and he believes in the unique perspective we bring to the market. Namely, that it will take all of us, working together in an open, integrated architecture, to ensure a more secure world.

I also hear he’s got a mean slap shot. I couldn’t say…I prefer the basketball court to the hockey rink…but here’s what I can say: he’s a great addition to McAfee.

Avoid junk food, exercise more, save some money. Every year around this time you can find gazillions (technical term) of articles about New Year’s resolutions and planning, for your job or personal life. I read an article a few years ago that suggested they usually take one of a few forms. Some inspirational feel-good stuff …

Every year around this time you can find gazillions (technical term) of articles about New Year’s resolutions and planning, for your job or personal life. I read an article a few years ago that suggested they usually take one of a few forms. Some inspirational feel-good stuff that lulls you into a euphoric sense that everything’s going to be just fine without you having to lift a finger. Some self-important person’s resolutions, which you should care about because, well, they are a very, very important person. What someone’s crystal ball says you should do next year because it’ll make you happy, prosperous, or both.

Avoid malware, practice incident response scenarios, save some money.

In keeping with the tradition I’ll recommend two specific ones that you really should add to the list:

The Commission on Enhancing National Cyber Security released its report on Securing and Growing the Digital Economy on December 1, 2016, with a cover letter to the President and President-elect identifying imperatives, recommendations, and action items. If you are a cybersecurity professional at any level and have not read this document, your first action for 2017 should be to do so. Your second action should be to encourage everyone you know, cyber professional or not, to also read it. This report is not densely technical, and it clearly describes the current state of cyber security and outlines a vision of the future. One of the essential reasons that everyone should read the report is that we all “must be more purposefully and effectively engaged in addressing cyber risks.” The Internet is a commons, and all of us have some level of accountability and responsibility to make it more secure.

The Commissioners organized their findings into six major imperatives, which are well organized and high level enough to cover just about every challenge our government faces in cyber. Helpfully, the commission also provided specific recommendations and action items for each one, to help move them forward.

Innovate and accelerate investment for the security and growth of digital networks and the digital economy.

Prepare consumers to thrive in a digital age.

Build cybersecurity workforce capabilities.

Better equip government to function effectively and securely in the digital age.

Ensure an open, fair, competitive, and secure global digital economy.

However, what I found more thought provoking was the “other areas that required more consideration”:

How best to incentivize appropriate cybersecurity behaviors and actions and how to determine if or when requirements are called for;

Who should lead in developing some of the most urgently needed standards and how best to assess whether those standards are being met;

What is the feasibility of better informing consumers, for example, through labeling and rating systems;

Which kinds of research and development efforts are most needed and at what cost;

How to project the right number of new cybersecurity professionals our economy needs and how to choose among different approaches for attracting and training the workforce at all levels; and,

What the roles and relationships of senior federal officials should be and how best to ensure that they not only have the right authorities but are empowered to take the appropriate actions.

Several of these points lead to the second resolution, to get more involved. Whether you are working on the front lines of cybersecurity, setting policy and strategy, or just benefitting from better security in your role, enhancing cybersecurity is a collective responsibility. Talk with your peers, get involved with security standards, educate your customers and suppliers, mentor a new or interested colleague, or just fix your poor password hygiene!

2017 is shaping up to be a very interesting year in cybersecurity. Whatever it brings, here’s wishing you and yours a great start to a new year sure to be filled with many challenges and successes along the way!

I led last week’s FOCUS 16 conversation with a simple question – “Are we safer together, or apart?” It was a powerful way to begin my keynote, and you can safely presume the answer I gave on behalf of all of us at McAfee: cybersecurity outcomes are best when we work together. Together is Power.TM …

I led last week’s FOCUS 16 conversation with a simple question – “Are we safer together, or apart?”

It was a powerful way to begin my keynote, and you can safely presume the answer I gave on behalf of all of us at McAfee: cybersecurity outcomes are best when we work together.

Together is Power.TM

This is our vision for the future. Working together is essential not only for all of cybersecurity. This tenet also will be the driving force behind the new McAfee brand. I was truly proud in Las Vegas to unveil our new logo on the FOCUS stage with nearly 3,500 McAfee customers and partners in the audience—and with several thousand employees joining via webcast from around the world. These are the stakeholders that have made possible our journey over the decades. And these are the men and women who will make the new McAfee brand the largest and best pure-play in cybersecurity. Look for the new brand mark in the coming months.

A new product logo is a big change, but one thing that didn’t change on the FOCUS stage is our commitment to be our customers’ #1 cybersecurity partner. Earning that privilege is our north star.

Now here’s what did change at FOCUS 16. We announced a whole new series of integrated platforms and automated workflows that will enable all of us in cybersecurity to work together in ways never before thought feasible. Last week’s big news centered on a record number of innovations from McAfee that were a year in the making. And all of the headlines we created are underpinned by a book that we also dropped at FOCUS.

The Second Economy:The Race for Trust, Treasure and Time in the Cybersecurity War, lays out McAfee’s view of cybersecurity’s future. Authored by Steve Grobman, our Chief Technology Officer, and Allison Cerra, our Vice President of Marketing, The Second Economy puts into plain language the cybersecurity challenge, and invites readers to understand and enlist in the cause. I encourage you to read the book and challenge your own assumptions, consider abandoning obsolete defense strategies, and sign onto driving robust collaboration for a more secure world. In the ‘second economy,’ money (or, treasure) is not the only currency in play; we battle for trust and against time as well. To win the cybersecurity war for the long term, we must succeed on all three fronts.

Winning means working together. That’s why we introduced more than 18 new products and partner innovations across our portfolio at FOCUS 16. They are the result of hundreds of millions of dollars in R&D investments over the past twelve months. Many of those investments mean McAfee now has more engineers, more product managers, more UX experts, and more professional services members on the job, serving our customers.

But perhaps the most important announcement at FOCUS was our boldest-ever collaboration play. We are opening our Data Exchange Layer (DXL) communications fabric to…well, everyone. That’s right. Open DXL for the entire industry. It’s our call-to-arms to face the cybersecurity challenge in a way that no others have. I’m excited and proud to lead this charge and to put this invitation to all cybersecurity innovators: Let’s. Work. Together.

We also introduced a new architecture vision, where routine task automation goes to a new, unprecedented level of orchestration. Human oversight is still in the mix, but we’re advancing human-machine teaming to its highest level yet. Additional innovations strengthen security around the key control points of cloud and endpoint.

What’s more, we’ll provide cybersecurity-as-a-service in a way that allows our customers to redeploy their own people as escalation points – focusing on the toughest, most urgent emergencies, instead of routine attack remediation. Put simply, our roadmap for tomorrow enables cybersecurity on your terms.

I’ve never been as proud of my talented colleagues as I was last week at FOCUS, demonstrating the power and elegance of our new, integrated architecture. I know not everyone is with us on this point – at least, not yet. But I also know working together is the future of cybersecurity. Every day, more are realizing that the only way to address more of today’s threats, faster, and with fewer resources, is to integrate and collaborate. It’s the way forward. The second economy demands it, and the first economy deserves no less.

Even our new logo pays tribute to the power of collaboration with its striking two-tone red shield. It visually represents the most important message each of us in this fight needs to understand. We’re smarter together. We’re safer together. We’re better together.

Together is Power.TM

No question: It’s a new day for the new McAfee brand – and our best days are ahead.

In my last post, I discussed the attributes of our adversaries, the drivers behind their activities, and their recent attack methodologies. I also discussed the threat defense efficacy curve, which illustrates how cyber defense capabilities decline in efficacy over time as attackers develop countermeasures to evade them. My FOCUS 16 keynote last week also explained …

In my last post, I discussed the attributes of our adversaries, the drivers behind their activities, and their recent attack methodologies. I also discussed the threat defense efficacy curve, which illustrates how cyber defense capabilities decline in efficacy over time as attackers develop countermeasures to evade them.

My FOCUS 16 keynote last week also explained how we can build more effective defenses that match our adversaries’ abilities to innovate and orchestrate.

At-the-Head of the Curve

It really all comes down to landing new technologies at the leading edge of the threat defense efficacy curve.

That is, it’s important that we add new technologies into our environment at the point where they can live with a high level of efficacy for the longest duration of time before adversaries develop countermeasures rendering them less effective.

To do this, McAfee is delivering a pipeline of technologies that can very rapidly be integrated and deployed into enterprise environments.

Last week at FOCUS, Brian Dye and Candace Worley showcased Real Protect and Dynamic Application Control. These capabilities will integrate within platforms like McAfee Endpoint Security, where it’s not about deploying an entire new product, but simply reconfiguring and selecting new functionality that can flow into the platform with a much lower level of effort than deploying entirely new solutions.

What we’re committing to is creating a strong pipeline of capabilities that is constantly looking at how to defend against the latest threats, including working on things that will counter some of the most difficult problems that we have in the industry today.

These capabilities could address the latest ransomware strains, or the challenge of real-time polymorphic packing of executables, where it’s very difficult to use traditional signatures or hash-based approaches because every time something is packed, it’s going to be 100% unique to a target victim.

Human-Machine Teaming

Today I explained that when we move beyond the individual technologies, we need to think about how we protect our environment overall. At McAfee, we believe the strategy really needs to be around “human-machine teaming.”

If you look at the “human” and “machine” elements of cyber defense, each of them has unique properties which, put together, can deliver the best possible solution.

Machine learning is really the only way we can deal with the massive scale of data required to analyze and understand cyber events within environments. But we also need to recognize that there will always be a human adversary on the other end of an attack, always working to confuse and evade our technologies. So, it’s absolutely critical that we put our incident responders and security operations personnel into the equation, where they can bring unique strategies and intellect to think like the attackers think.

To do this, however, we need to build out a new structure for talking about cyber defense.

Moving Beyond Threat Intelligence

For years we have been talking about threat intelligence, which started as object reputation and over time has come to include additional elements such as tactics, techniques, and procedures, or specific information about campaigns.

The problem with threat intelligence is it can tell you what the threats are, but it doesn’t actually tell you how to defend against them.

We need to augment this nomenclature with other key elements, namely, investigative methods to determine what is going on in our environments. We need visibility into events, analytics to process and determine what those events mean, and assessment recalibration to go from recognizing what is happening to deciding what must be done about it.

Finally, once we identify threats operating in our environments, we need to be able to orchestrate the right responses effectively and efficiently, allowing us to both recover and update our protections.

To build technologies that link threat intelligence, investigative methods, and orchestrated response capabilities together, we need a high degree of scalability from an infrastructure perspective, and the right underpinnings in the fabric upon which these capabilities rely.

McAfee built McAfee Data Exchange Layer (DXL) with these requirements in mind, and, this week at FOCUS, we announced that we are making DXL available as an open industry protocol:

From a connectivity perspective, DXL allows us to communicate about events with clients even when they are in complex network situations, and get information to or from them with ease. The protocol also favors efficiency, making sure that enterprises can move data across their networks once, and have one-to-many or many-to-one sorts of data transfers. Moreover, DXL enables a security model that allows integrity and attestation, such that data goes only where it should go.

My keynote featured an example of DXL in action.

We showed how command and control traffic could be reported to McAfee solutions by a Checkpoint solution, and allow McAfee defenses to quickly determine the right analysis and, later, the response.

Our demo system captured events and turned around and executed searches to determine where the event came from. Based on the “machine” results of the search, we humans then took action to address it. We could tag an impacted system and change policies if needed.

Finally, we sent a request to a Rapid7 vulnerability management solution, set a tag in an Aruba access control solution, and contained the incident within the network. All with a sophisticated 218 lines of code.

This human-machine teaming example showed how our threat intelligence, investigative methods, and orchestration framework could be implemented by organizations. Today’s announcement of the release of OpenDXL means that such a framework can be built with and even extended beyond McAfee and McAfee Security Innovation Alliance (SIA) partner solutions to include any number of other third-party solutions.

But, more importantly, it means McAfee customers can evolve however their situations require. They now have the power to design cyber defense capabilities unique to their environments, however specialized and complex they may be, whatever their functions or businesses are, and however they might be confronted on the cyber-threat landscape.

Please see the replay of my FOCUS’16 keynote for more information and insight.

]]>https://securingtomorrow.mcafee.com/executive-perspectives/defense-evolved-threat-intelligence-investigation-orchestration-dxl/feed/0Security, Time, and the Decline of Efficacyhttps://securingtomorrow.mcafee.com/executive-perspectives/security-time-decline-efficacy/
https://securingtomorrow.mcafee.com/executive-perspectives/security-time-decline-efficacy/#respondFri, 04 Nov 2016 21:55:21 +0000https://securingtomorrow.mcafee.com/?p=64220

This week at the FOCUS’16 conference in Las Vegas, I shared perspectives on today’s changing threat landscape, how we must re-think cyber defense technologies, and Intel Security’s vision for thwarting the cyber-threats of tomorrow. In 2016, we saw significant cases of cyber activity from criminals, nation-states, and hacktivists. In each case, they’ve really upped their …

This week at the FOCUS’16 conference in Las Vegas, I shared perspectives on today’s changing threat landscape, how we must re-think cyber defense technologies, and Intel Security’s vision for thwarting the cyber-threats of tomorrow.

In 2016, we saw significant cases of cyber activity from criminals, nation-states, and hacktivists. In each case, they’ve really upped their game.

We saw ransomware evolve from holding consumers’ data hostage, to going after larger “soft targets” such as hospitals. Front and center in our presidential election, we’ve seen nation-state actors become mainstream by using cyber activities to manipulate voter thought processes. Hacktivists have been effective in using cyber events and disclosures to change the way that we think about certain people, organizations, and issues.

In all of these cases, bad actors also changed their underlying arsenal of tools and techniques. In some cases, we saw them use tools we defenders use, but for malicious purposes. They’re using artificial intelligence to do a better job at spear-phishing. As we’ve seen in the current presidential election, they’re not just stealing data, but weaponizing it to cause harm.

They’re also looking at ways to take advantage of vulnerabilities among the armies of IoT devices (including connected cars) that are now beyond the physical reach and corrective capacity of their manufacturers. Some of these devices can’t be updated at all even if manufacturers wanted to. Any vulnerabilities that may exist within them could allow attackers to compromise and use them as cyber-attack vehicles for the current and future generations of hackers.

What we see in all of these cases is that there is a way to think about the problem statement of “what might be attacked.” It’s really about the incentive to the attackers, how easy it is to achieve their goal, and what the risk of discovery is.

Cybercriminals will always look to maximize profits, while minimizing the risk of prosecution. Nation-states will look to amplify their ability to change opinions, or steal intellectual property. They will weigh this against the risk of being identified through strong attribution, and the prospect of retaliatory steps taken in either the cyber or kinetic domains.

In all of these cases, it’s really about understanding how we defend against the next generation of attacks, and, in many ways, it requires thinking about our cyber defense technologies and their efficacy over time.

Cyber Defense Efficacy

One of the ways to do this is to think about security technologies from a time perspective, in contrast to typical IT technologies.

In most IT technologies, there is an inherent benefit to being a late adopter. Whether a database, architecture, or network technology, most technologies get better over time, meaning there are advantages to waiting for early adopters to implement and work the bugs out.

The problem is that cyber defense technologies are typically most effective right after invention. The reason for this is that a security defense capability will initially focus on solving a problem for a very well-understood issue or set of threats. During the initial deployment phase, there isn’t enough volume for adversaries to build countermeasures or evasion tactics.

But once it becomes part of a widely deployed defense, we see that new techniques by the attackers work to directly influence and reduce the effectiveness of the technology. Its effectiveness inevitably declines.

Threat Defense Efficacy Curve

We’ve seen this time and time again:

Bayesian spam filters worked well until there was enough deployment to force the cybercriminals to use HTML formatting tricks and other techniques to bypass them.

When we implemented the use of hashes to very quickly convict files without waiting for signature detection, adversaries were driven to build countermeasures such as creating polymorphic downloads to make each malware sample unique.

Sandboxing helped us find never seen before malware, but very quickly we began to see malware that was sandbox aware, adding evasion tactics to determine whether it was operating within a sandbox or on a victim’s machine.

We need to recognize that this cycle is going to remain true for every technology, even some of the most powerful technologies at our disposal today. So, as we walk around the floor at RSA and Black Hat, and hear about the promise of big data, machine learning, and artificial intelligence, we need to think forward to what the next generation of countermeasures could be.

That’s one of the key things we’re focused on at McAfee: as we build out new technologies, we’re figuring out how adversaries will attack them to make them more inherently resilient.

In my next blog post, I will share how we can use the curve to develop better defensive strategies, and how McAfee is delivering the solutions to enable partners to improve their defenses and amplify outcomes.

Writing from the FOCUS 16 Security Conference, Wed., Nov. 2 I just came out of one of the most energetic keynote sessions I have ever seen. Chris Young, who heads McAfee, mapped out a vision for the future of our company. It was overwhelming. I don’t need to re-quote figures on the problems with cyber-attacks …

I just came out of one of the most energetic keynote sessions I have ever seen.

Chris Young, who heads McAfee, mapped out a vision for the future of our company. It was overwhelming.

I don’t need to re-quote figures on the problems with cyber-attacks and security threats on the Web. It’s something we all are aware of. All you have to do is read a news site or pick up a newspaper. Security is probably the biggest challenge to the Digital Age.

Our industry – cybersecurity – is moving faster than any other segment of IT. And McAfee is right in the center of what’s happening.

This year McAfee introduced 18 new products. We developed four integrated security systems. We moved forward, fast, on our industry partnerships, which are now up to 125.

This morning Chris unveiled the new McAfee logo, which will go into full effect early next year, when the company formally spins out from Intel (though Intel is hanging on to 49% of us!). At that point we will be one of the largest pure-play cyber security companies in the world. Our goal is to also be the #1 security partner.

We aim to move even faster in 2017, and actually increase our product introductions, chiefly through organic innovation. We will continue to move into the cloud and integrated solutions, and with the opening of DXL (https://github.com/opendxl), we expect to greatly accelerate our partnerships.

If I could be personal for a moment, this for me is one of the greatest chances of my lifetime. I’m working in a great company, with a fantastic team of over 2000 engineers, at a time when what we do is needed by the world more than ever.

Chris has given us our marching orders. #1. Agile. Integrated. Cloud-based. And working together within the industry, not just turning out point widgets.

Human beings are an amazingly resilient species. I’m not speaking merely of our collective abilities in building and growing productive civilizations the world over. I’m referring to a much more important, even if less understood, characteristic—that of our ability to deceive ourselves. I realize that statement is loaded with controversy, if not confusion, so allow …

Human beings are an amazingly resilient species. I’m not speaking merely of our collective abilities in building and growing productive civilizations the world over. I’m referring to a much more important, even if less understood, characteristic—that of our ability to deceive ourselves.

I realize that statement is loaded with controversy, if not confusion, so allow me to explain. Psychology has explored the most essential element that separates mankind from every other species on the planet—that of our ability to reason. Our mind dictates how we see the world around us and drives our behavior, no matter how deliberate or unconscious it may be.

And so, when considering how our brain processes risk, such as that rampant in the world of cybersecurity, the mind that governs every action we take is significantly impaired by its own limitations. We can thank psychologists for their contributions in helping us understand the seemingly unthinkable. The field has identified several ways we fundamentally get risk wrong. Whether it’s our tendency to underestimate threats that creep up on us (such as the daily grind of poor eating habits that contribute to a lifetime of disease complications), our propensity to substitute one risk for another (such as speeding up once we click our seatbelt) or the seductive illusion of control (where we will readily text and drive but excoriate others for doing the same), the human brain is amazingly resilient in revealing what we want to see—even if in stark contrast to actual reality.

The implications to cybersecurity are palpable. Employees readily justify risky behavior, such as clicking on unknown links or emails, if not dismissing their own judgment in questioning that which is suspicious. Cybersecurity professionals believe they are best equipped to handle the next threat, rather than relying on a third party with presumably more experience for the same. The slow drip, drip, drip of breaches that litter headlines creates an insidious perception that we are somehow immune to the next one—all the while the risk continues to creep up on us.

Consider some of the more sobering facts. According to McAfee primary research of American consumers, 71% of those aged 18-34 believe their data is more secure today than it was a year ago. This isn’t merely a generational issue. Some 65% of those aged 35-54 agree. This, despite the fact that the number of threats in our virtual world continues to exponentially multiply. Not convinced? Ten years ago, McAfee Labs observed 25 new threats per day entering the landscape; today, that figure had exploded to more than 400,000 new threats—per day!

Muddying the waters further, it’s not as though consumers don’t believe the threatscape is more dangerous—even overestimating the number of annual data breaches in the U.S.—all while also overestimating their own capabilities in defending themselves against such clear and present risks. The powerful psychological concoction that ensues provides threat actors the world over with self-deceived consumers (and, yes, cybersecurity professionals) who might as well hang a virtual shingle on their public profile or company website with the simple message, “Your Next Victim Here”.

Take heart. There’s an answer to this problem. We’re not likely to uproot millennia of psychology evolution that have programmed our brains toward self-deceit. But, such propensities can be remediated, if not balanced, with an open and constructive dialogue about our tendency to miscalculate risk entirely. When we do, we can remove at least a few bullets, if not an entire weapon category, from the enemy’s arsenal.

One could argue the last thing the world needs is another book on cybersecurity. A simple search of the term on Amazon yields nearly 1,700 results. A Google search of the same renders nearly 27 million hits. In fact, one could argue that cybersecurity is dangerously close to suffering the same overexposure plaguing so many …

One could argue the last thing the world needs is another book on cybersecurity. A simple search of the term on Amazon yields nearly 1,700 results. A Google search of the same renders nearly 27 million hits. In fact, one could argue that cybersecurity is dangerously close to suffering the same overexposure plaguing so many once-interesting, now-irritating celebrities clinging to their proverbial fifteen minutes of fame.

So, why write another book on an already saturated topic? Quite simply, because one is needed. There are more than enough cybersecurity books that cover the technical aspects of the field. These are worthy of any cybersecurity professional’s bookshelf. But, there simply isn’t a cybersecurity book that clearly articulates why the layperson should care about a war that many are unaware is even occurring.

When we speak of the layperson, we’re not discussing the average consumer and his or her need for widely available and equally understood antivirus protection. We’re speaking of employees and executives who play a very important role, whether they realize it or not, in a cybersecurity battle that has much higher stakes. One where noble cybersecurity professionals stand on the right side of a fight too important to lose and are the unsung heroes of their organizations, seeking no glory, knowing the cause is bigger than themselves. These defenders toil in virtual anonymity, protecting all that is sacred to their organizations, while many of their colleagues play the role of unwitting participant, directly or indirectly doing the bidding of enemies seeking to undo their employers.

And, because motivated adversaries who aim to weaken an organization’s defenses know that these unwitting participants are most useful when they are also most ignorant, cybersecurity is simply too important to remain a dialogue within technical hallways. We must expand the conversation to include employees, whose ignorance is a bullet in the enemy’s gun. We must engage business leaders, including CXOs and board members, who directly or indirectly guide their organizations’ cybersecurity agenda, even if they do so not always understanding the ramifications of their decisions.

We realize it’s not these laypersons’ fault that they don’t understand our world. We’ve never invited them in. Enter “The Second Economy.” Think of it as a veritable Rosetta Stone that converts technical speak into business language. Does this mean that technologists shouldn’t give it a read? Absolutely not! If there is one enemy greater than the adversary seeking to destroy a cybersecurity professional’s organization, it’s the preconceived cybersecurity notion that has outlived its relevance all while it guides a defensive strategy built on faulty assumptions. For these technologists, you’ll gain a different perspective on your mission, even understanding how conventional cybersecurity “wisdom” is anything but.

Whether you are a technologist or a layperson, a cybersecurity professional or a business leader, open this book and open your mind to a fascinating topic that is simply too important to ignore. This is a war that can only be won when we all understand what is at stake and the role we play as defenders, attackers, victims or unwitting participants. The first step to action is understanding. “The Second Economy” seeks to initiate the dialogue between cybersecurity professionals and their non-technical peers that, despite the thousands of books and millions of search results on the topic, is conspicuous by its absence.

Over the last several days, we’ve seen headlines on potential cyberattacks on state voter registries, cybersecurity front and center in the Clinton-Trump presidential debate, and new revelations into the Yahoo! cyber-breach that appears to have compromised more than 500 million user accounts. McAfee CTO Steve Grobman fielded a number of questions on these events and …

Over the last several days, we’ve seen headlines on potential cyberattacks on state voter registries, cybersecurity front and center in the Clinton-Trump presidential debate, and new revelations into the Yahoo! cyber-breach that appears to have compromised more than 500 million user accounts.

McAfee CTO Steve Grobman fielded a number of questions on these events and revelations:

What do you make of the FBI and DHS announcements that the agencies have detected cyberattacks on voter registration websites in more than a dozen states?

“These announcements certainly raise concerns. Elections are meant to be anonymous and not traceable back to the individual voter. Thirty-one states and DC offer the kind of online voter registration that the FBI says was targeted. The perpetrators are hacktivists. They probably seek to shake voter confidence in the American electoral system, and they only have to have one high-profile attack to achieve this goal.”

What do you make of reports that cybercriminals are behind the theft of 500 million Yahoo! users’ accounts, not government-backed hackers, and these actors sold the data to a state actor?

“Some nation-states have the same cyber gap in their offensive operations as the rest of the world has in defensive operations. Moreover, they face the threat of kinetic repercussions resulting from the digital attribution of a cyberattack. Therefore, it’s conceivable that these state actors could use a wide range of tactics to mitigate these issues. This could indeed include partnering with criminal or private organizations to achieve their strategic objectives.

Because of this, we need to be careful not to interpret what little we see as definitive proof of a conclusion.

For example, the fact that stolen data can be leaked through criminal underground networks could simply indicate that a nation-state is attempting to mask a cyber espionage operation as a standard cybercriminal breach. It may also be a side effect of a criminal actor acting on a nation-state’s behalf. A similar deception can occur in reverse, in which a criminal or terrorist group can use tactics to falsely implicate a nation-state.”

What should we make of the possibility of a nation-state potentially hacking a U.S. corporation for user emails as an act of espionage?

“For state actors, the political or strategic incentives of orchestrating such a large breach are as real as the obvious financial ones for cybercriminals. A rival state’s intelligence services could find and access the messages of individuals with political, government, military, and even corporate public profiles.

Consider the recent compromise and disclosure of former Secretary of State Colin Powell’s personal email messages. While probably more tame than the average citizen’s messages, the public disclosure of his communications revealed statements that proved controversial in political and other government circles.

The emails of the less tame or even reckless candidate, three-letter agency chair, general, or CEO could contain material sensitive enough to destroy careers, enable blackmail, endanger a mission, or influence high-level negotiations and decisions.”

Regarding Verizon’s planned acquisition of Yahoo!, is an analysis of a company’s computer security expected as part of the due diligence in a purchase?

“It is common practice for technology companies conducting due diligence of a potential acquisition to evaluate the cybersecurity posture of that target. This due diligence often includes requesting a list of IT breaches, reviewing the results of any security audits or certifications, evaluating the company’s policies and procedures for IT security, reviewing the company’s privacy policies, and assessing the nature of personal information held by the business, among others.”

Who generally performs such an analysis? Are they paid by the buyer or the seller?

“Security-related diligence is often conducted through a combination of internal teams employed by the acquirer, and, if needed, third-party specialists. The cost of any third-party evaluation is typically borne by the acquirer.”

Would such an analysis have picked up this breach?

“The due diligence process generally requires disclosure of known IT breaches. Security audits or other evaluations conducted during the course of diligence would attempt to assess the likelihood of future breaches or potentially undiscovered IT breaches.”

What was your reaction to the prominent mention of cybersecurity in the presidential debate between Hillary Clinton and Donald Trump?

“It was refreshing to see cybersecurity at the forefront of the national security conversation during the debate. In just a few years, we’ve seen cybersecurity go from a function of the IT back office, to the nation’s Oval Office.

While events have tended to drive government into action, more and more of our nation’s top leaders understand the cyber battlefield is as critical as land, sea, air, and space. The prominence of cybersecurity in this week’s debate is tremendous progress, with the promise of further progress to come in the coming months and years.”

I like chocolate but I don’t seek it out. Peanut butter – I can take it or leave it. But put them together and now you’ve got my attention. Some things are better together. That doesn’t mean they aren’t perfectly good by themselves. It just means that combined, they provide a superior experience. Although comparing …

I like chocolate but I don’t seek it out. Peanut butter – I can take it or leave it. But put them together and now you’ve got my attention. Some things are better together. That doesn’t mean they aren’t perfectly good by themselves. It just means that combined, they provide a superior experience. Although comparing peanut butter cups and Dynamic Endpoint Defense might seem like a stretch, they are both the result of putting two perfectly good ingredients together to create something that delivers greater satisfaction and a more superior experience than the individual elements alone. Endpoint Security technologies today are generally single purpose and fail to deliver a superior level of satisfaction for most, if not all, of their users. They are not converged or integrated or even aware of each other. They protect, detect, or correct in isolation. Yet the need from security practitioners is nearly the opposite – they need security that is delivered in a coordinated, integrated, and system-aware solution. In other words, they want the Reese’s* Peanut Butter cup of security – simple, superior, and satisfying.

There is little satisfaction in today’s approach to endpoint security. The product-for-every-problem approach is only good until there is a new problem tomorrow. To secure complex environments, you need security that is as dynamic as the environment it’s protecting and the threats it’s protecting against. Dynamic endpoint defense requires a fundamental shift from deploying isolated countermeasures designed with the sole directive of payload recognition, to a collaborative set of converged capabilities that can identify, contain, and eradicate threats across all points of attack progression as part of an integrated security platform. Only through a system and platform based approach will the industry eliminate security silos and deliver real-time, holistic security that addresses the entire threat defense lifecycle from protect to detect and correct.

McAfee Dynamic Endpoint will bring together our best security management and on-device protections integrated with cloud based analytics to deliver dynamic and highly adaptable protection against known and zero day attacks. It will do this by utilizing a multitude of approaches to identify transient attack techniques and lateral movements that do not manifest themselves in obvious ways.

By leveraging multiple security capabilities as part of an integrated system, McAfee® Dynamic Endpoint will provide proactive protection, advanced detection, and automatable correction addressing the entire threat defense lifecycle. Delivering our solution in this way will reduces computing overhead on the system while providing extensibility that makes it easy to evolve your endpoint security footprint. Early testing of McAfee Dynamic Endpoint shows promising results. It prevented 60% more threats than signature-based solutions, reduced team training times by 80% and took 66% less operational personal than Best of Breed approaches. The integrated approach to securing the endpoint enables security teams to do more, faster with fewer resources.

McAfee® Dynamic Endpoint will be comprehensive in its approach to securing endpoints. As a result of being fully integrated into McAfee’s platform, its capabilities will help to ensure the health, integrity, and improved TCO of the entire security infrastructure. The endpoint does not live alone in an IT infrastructure. It coexists with many other security solutions. At any given time a computing compromise may occur rendering the IT infrastructure only as strong as its weakest link. Our McAfee platform approach will mitigate this risk.

Our endpoint will connect, in real time, to Mcfee and Partner solutions subscribed to the McAfee Platform via our Threat Intelligence Exchange and Data Exchange Layer. Being part of this platform means that an attack, and the associated threat intelligence, discovered by McAfee Dynamic Endpoint, will be shared in real-time with all other countermeasures subscribed to the platform. Delivering on this strategy requires scale from an endpoint penetration, threat intelligence, and management perspective. McAfee delivers that scale with over 90 million corporate endpoints protected with our endpoint solution, a product and partner management console in the McAfee® ePolicy Orchestrator®, a tightly integrated threat intelligence cloud processing 420 billion lines of telemetry a month, and a security partner ecosystem with 135 partners committed to platform integration. This platform approach means that an attempted compromise and threat discovery on a single endpoint protected by the McAfee® Dynamic Endpoint solution will become the seed of immunity for the entire network.

At FOCUS 2016, our annual user conference at the Aria Casino In Las Vegas Nevada November 1-3, 2016 we will showcase new solutions in support of Dynamic Endpoint and it’s integration with the broader McAfee platform.

Bringing together advanced and traditional endpoint security in McAfee® Dynamic Endpoint, in addition to the integration with the broader McAfee Platform, will allow us to deliver a more superior experience than delivering any of them alone. Stand-alone, each delivers value but together they deliver superior satisfaction.

Who knew that peanut butter cups and Dynamic Endpoint could possibly have anything in common!

NOTICE: The information contained in this document is for informational purposes only and should not be deemed an offer by McAfee or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtract features or functionality, or modify its products, at its sole discretion, without notice and without incurring further obligations.

McAfee, McAfee logo, ePolicy Orchestrator, and McAfee ePO are trademarks of McAfee Corporation or its subsidiaries in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others.

“We’re here to pinch your best ideas.” Those words began Mayor of London, Sadiq Khan’s remarks to a small group of city officials, regulators and private industry in New York City’s financial district this morning. The discussion was focused on cities, climate change and the use of technology to address it while improving citizens’ lives. …

“We’re here to pinch your best ideas.” Those words began Mayor of London, Sadiq Khan’s remarks to a small group of city officials, regulators and private industry in New York City’s financial district this morning. The discussion was focused on cities, climate change and the use of technology to address it while improving citizens’ lives.

Mayor Khan stated that he believes this will be the first generation to tackle climate change or the last to ignore it. Obviously a strong commitment partially driven by a commitment to public health. It’s estimated that 9500 Londoners die every year as a result of long-term exposure to poor air quality.

Technology can definitely play a role and providing appropriate cyber security for that technology is critical. Whether it’s carbon neutrality (London) or 80 by 50 (NYC’s pledge to 80 percent emissions reduction by 2050 as compared to 2005 levels), renewable energy, energy efficiency, smart transportation and smart buildings will play critical roles. And all need to be delivered securely.

As the conversation at the roundtable continued another relationship between the climate change debate and smart city cyber security emerged. In both cases there’s a need for integration. The New York State Department of Public Service Deputy for Markets and Innovation made the comment that everyone has a tendency to look for the ONE THING that will solve the problem – renewables, improved building stock, etc. But the reality is that it takes many efforts that need to be integrated together to achieve the goal.

The same thing is very true for securing smart infrastructure. We are often asked what one technology should be deployed. The answer is much more complex. Security must be designed in. And for the era of the Internet of Things it is particularly important that the integrity of devices and data be ensured from the moment the system is installed.

Security built into the hardware (secure boot, identity, secure storage, trusted execution environments) can be foundational, but we also need network security and protected infrastructure in the cloud. And it all needs to work together.

When we introduced our strategy at FOCUS ’15, at its core a simple concept: create integrated security systems to automate the threat defense lifecycle so you can address more threats, faster, with fewer resources. With the recent announcement of our strategic partnership with TPG we want to further define our strategy and show how we …

When we introduced our strategy at FOCUS ’15, at its core a simple concept: create integrated security systems to automate the threat defense lifecycle so you can address more threats, faster, with fewer resources. With the recent announcement of our strategic partnership with TPG we want to further define our strategy and show how we are uniquely leading the market, making IT security as dynamic and responsive as today’s most dangerous threats.[1]

To start at the finish: the results of these security systems will be measurable – a simple but incredibly important conclusion. We define success not just through your satisfaction but through impact to key CISO-level metrics. When compared to disconnected architectures, we expect these systems should be able to:

Reduce overall time to protection from over four hours to one minute

Increase incident response capacity by up to 30x

Improve response time from over 24 hours to less than 7 minutes

We understand that if we can’t move your metrics, we having nothing to offer but a new widget – and you have enough of those already!

Fundamentally, we are creating these integrated and automated security systems because we believe:

Protect, detect, and correct are better together. The virtuous cycle of integrated security builds the best protection technology possible, finds and contains advanced threats, and rapidly remediates them … while adapting protection technologies to block the next threats better. Organizations with integrated security platforms are 30% better protected[2], and we want you to be part of that statistic.

Only automation can overcome staffing issues. You are clearly faced by a mismatch between your staffing (talent and volume) and the growth in number and sophistication of threats.[3] That gap is compounded by stove-piped tools that force analysts to manually connect the dots across them, which takes even more time and effort. Deeply automated security systems are critical to help solve that problem: eliminate routine tasks, enable faster new hire onboarding, and free your strongest talent to tackle your hardest problems. We expect automation to reduce manual effort by up to 70%.

No vendor can do this alone. The security industry is one of the most fragmented of any in IT and no one provider delivers the entire threat defense lifecycle. You need a practical way to integrate new capabilities into an overall platform approach. Only real partnerships, across industry leaders, can create true security systems that protect, detect, and correct.

Four Security Systems

With those beliefs fueling our strategy, we are building a platform-based architecture with four security systems: endpoint, cloud, hybrid data centers, and threat management. Each system combines multiple technologies in to a single, integrated security system that allows us to break the Gordian knot: combining best-in-market technology with broad integration across common platforms. We expect these will drive the superior outcomes that you deserve with a low operating complexity … to drive an operating cost structure you can afford.

Connecting these Security Systems

Each of these systems help you address more threats, faster, with fewer resources. That said, because these systems are themselves built on platforms they will work together to solve even bigger security problems. To pick just a few examples:

Closed loop threat defense: The four systems work together to share threat information and automate protection, which improves security and lowers cost. Using the example of a potential attack starting at the endpoint, our security systems automate the detection and response end to end (although a threat coming in through the cloud or data center would have the same flow):

Mobile workforce security: Due to the rise of SaaS applications, mobile workers can complete much of their work using only email, SaaS applications, and local compute. The combination of the converged endpoint and cloud-delivered data security systems is designed to create a “mobile clean zone” to secure those mobile workers’ devices, but also keep the organizations data secure while off of the corporate network … allowing them to more safely reconnect to the corporate network when needed. This includes technology from McAfee, but also from our partners like VMware® AirWatch® and MobileIron.

Security for Infrastructure as a Service: Securing the workloads and access of IaaS platforms like Amazon Web Services or Microsoft Azure highlights the interconnectivity of the public cloud, data, users, and security operations center to defend it successfully:

A Unique Point of View

A common hazard across the security industry is that vendors start describing their strategies with common words, and before long everyone sounds the same. To help cut through the buzzword bingo, here are a few areas where we believe our approach is truly unique in the market:

Integration: we are combining point tools and features, using common platforms, in to integrated security systems. You can see this in the four security systems: each combines the capability from 3 or more point products in to a single system. We deliver this integration and the management level with ePO and the threat intelligence level through DXL as well.

Automation: with integration as our foundation, we then build in closed loop automation. This automation delivers more accurate detection, faster remediation, and closed loop protection. These benefits increase directly with the breadth of products and technologies that we integrate (our own or with other security providers).

Orchestration: with more of your organization freed up through automation, we then proceed to orchestrate. While automation is at the tools level, orchestration is at the systems level to not just drive actions but coordinate teams and accelerate investigation. The gains, across both security effectiveness and team efficiency, are the most dramatic here which is why this is the ultimate goal that both integration and automation are building towards.

Really?

Overall this may be surprising to some of you, and it is more true than ever that the proof is in the pudding. You may wonder if we can do this, and I appreciate that skepticism. I don’t ask for your trust – instead I invite you to join us at FOCUS16 in Las Vegas this fall. There, we will share with you the first round of technology delivery against this strategy. I think you will be – pleasantly! – surprised.

McAfee, McAfee logo, McAfee® ePolicy Orchestrator® (McAfee® ePO), McAfee® ePolicy Orchestrator Cloud (McAfee Cloud ePO ) and Security Innovation Alliance are trademarks of McAfee Corporation or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others.

[1] NOTICE: The information contained in this document is for informational purposes only and should not be deemed an offer by McAfee or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtract features or functionality, or modify its products, at its sole discretion, without notice and without incurring further obligations. Performance achievement objectives stated throughout this document assume certain environment configurations and are only representative of what we want to achieve, not a statement of current performance.

I’m privileged to lead a group of McAfee leaders to the annual Aspen Security Forum this week. This event is among the most prestigious gatherings of its kind. Dozens of government leaders, tier one journalists, and private-sector companies like ours connect in Aspen each July to discuss the most pressing national security issues facing the …

I’m privileged to lead a group of McAfee leaders to the annual Aspen Security Forum this week. This event is among the most prestigious gatherings of its kind. Dozens of government leaders, tier one journalists, and private-sector companies like ours connect in Aspen each July to discuss the most pressing national security issues facing the United States. The candid, diverse and direct discussions cover a broad array of topics of concern to our industry and yield helpful insights both to our team and the officials we meet.

I’ll be participating on a panel discussing the role of cybersecurity in our national security apparatus. CNN Justice Correspondent Evan Perez will moderate the discussion, and I’ll be joined on the panel by Assistant Attorney General for National Security John Carlin, Michael Daly of Raytheon, and Vinny Sica of Lockheed Martin.

While there are many issues of concern, I look forward to discussing the global cybersecurity talent deficit, and the potential national security ramifications of failing to address it.

The Looming Cyber Workforce Shortage

Not everyone may be willing to define thousands of unfilled tech jobs as a national security crisis, but we are. This week, the Center for Strategic and International Studies (CSIS) released a report supporting our assertion. It surveyed public and private IT decision makers on the quantity and quality of cybersecurity professionals in Australia, France, Germany, Israel, Japan, Mexico, the United Kingdom, and the United States.

The study reveals a global cybersecurity skills shortage, and it is allowing malicious actors to inflict real, quantitative damage to public and private interests alike.

Eighty-two percent of all survey respondents report a shortage of cybersecurity skills. Seventy-one percent say the talent deficit has hurt their organization. One in four blame it directly for data loss and reputational damage.

Whose problem is this? Public and private entities, including institutions of higher education, share blame for not doing enough to sync the supply of cybersecurity skills with soaring demand. In our survey, three out of four respondents criticized their governments for inadequate cultivation of cyber talent.

These decision makers fault colleges and universities for failing to develop and market attractive cybersecurity coursework. They view the standard four-year college degree as insufficient, and praise the value of hands-on experience, including gaming and hacking exercises.

A National Security Crisis?

Countries lacking the human beings to adequately protect their most vital data, national secrets, financial markets, and ground-breaking intellectual property are unlikely to be economically competitive with those nations who can. But, beyond the economic implications of the shortage, consider the billions of connected devices coming online throughout the critical infrastructure that increasingly run our world.

From train systems, to water utilities, to smart power grids, to first responder communications, as the Internet of Things becomes ubiquitous, digital attacks now threaten physical damage. If we do not address the shortage of cybersecurity professionals soon, nations could find themselves unable to maintain adequate cybersecurity postures to protect and defend their critical infrastructure.

Automation and Unpredictables

The survey reveals across-the-board confidence that automation technology solutions will prove up to the task of mitigating ongoing cybersecurity threats. It’s true that the next phase of the cybersecurity era will redefine the symbiotic relationship between automated solutions and their human managers, analysts, and decision makers. The incoming cybersecurity workforce will adapt to increasingly automated environments, from “human in the loop” to “human on the loop” processes.

Moving Forward with Solutions

This week in the Rockies, we expect to hear sober talk from America’s best and brightest about encryption, ISIL threats, spyware, foreign espionage, extremist propaganda, and more. All well and good. Having enough smart, discerning professionals on deck to manage these issues, however, is just as pressing a concern. It should, in fact, be near the top of the list.

The CSIS survey delivers a clear call for more public investment in cyber education by higher education institutions – and more ongoing learning programs for private sector workers. While the private cybersecurity industry continues to innovate, our expertise shortage is an essential national security challenge that cannot be solved in the private sector alone.

Just as we have in past conflicts, government and private industry must collaborate, set priorities together, recruit talent, and seriously invest in skills development to address the cybersecurity workforce shortage facing our nation.

I keep the things people care about safe. Their bank accounts, their private data, their social media accounts, their children, spouses, grandparents, employees and their company secrets. I didn’t set out to work in cybersecurity. But given what I’ve learned about the business, its people and their sense of mission, and our growing criticality to …

Their bank accounts, their private data, their social media accounts, their children, spouses, grandparents, employees and their company secrets.

I didn’t set out to work in cybersecurity. But given what I’ve learned about the business, its people and their sense of mission, and our growing criticality to the world at large, I urge you to think about it.

As a young professional, technology was not my strong suit. I majored in management at Oregon State, with a minor in behavioral science. I was not up coding all night. I was waitressing and bartending to pay tuition. I graduated without a job and finally found a rent-paying gig as an administrative assistant.

Hardly a storybook start for a would-be cybersecurity leader.

But after laboring for several years in a succession of corporate vineyards – becoming a product manager, getting an MBA on the side – a professional networking contact reached out and I was offered a position at McAfee. I joined as the VirusScan product manager (it was our flagship corporate solution at the time).

Just the next stop on the corporate shuttle, right? Wrong.

I saw within a year what a different industry security was. I stopped looking for the job that would deliver long-term job satisfaction realizing that I may very well have found it. I’ve now worked at this company for 16 years.

Drinking the security Kool-Aid was not my plan. But after one short year I realized coming to work and keeping people safe was pretty cool. Not inventing rationales for obscure widgets, or assessing my worth according to how much jargon I could cram onto a presentation slide. I knew I was doing good and creating value for a world that had come to rely, with astonishing speed, on digital systems born fragile and vulnerable that have been playing catch up with the bad guys ever since.

Cybersecurity attracts extraordinarily committed people. Early in my McAfee term the I Love You virus broke out – a malicious e-mail attachment that affected tens of millions of PC’s. It was not just another day at the office. We had grown men and women melting down on the phone, terrified that their company’s security teams might not tame the malware before it overwrote critical files and resent itself to all their employees Outlook contacts. I had colleagues work 3 days straight, pitching in without pause – amazing engineers, researchers and managers who brought passion to the task of protecting our customers. If we didn’t feel like a family before we certainly felt that way after 72 hours of pizza, Chinese take-out, and a steady stream of caffeine. It felt like a cause.

At times like that ours is not a normal life. Of course I stayed.

In the years since the I Love You virus, cyberattacks have only grown more malicious and fateful. It has matured from mostly innocuous pranking to well-organized crime. Malware is an established industry with its own developers, pricing models and distribution chains. The bad guys have become serious adversaries.

Why don’t more young people respond to the urgency and rewards that come with such exciting work – the development of digital protection and detection technologies for the whole civilized world?

It’s partly because we have to make a better, clearer case. We need hard science skills and hard coding chops, but you don’t have to be a computer science or mathematics major to contribute to this industry. Look at me. I understand technology and know how to communicate its powers – and when the tech arena gets more good communicators, the public will better understand this field and more importantly, why it is so important to them personally and professionally.

It’s partly because private industry and higher education need to up their collaboration game. When McAfee piloted cybersecurity coursework with Cal Poly and my alma mater, Oregon State, the classes we designed filled up in 15 minutes. So we know we can ignite the next generation’s interest. We, as an industry, ought to work with more universities to proactively develop and disseminate cybersecurity curriculum.

And I think we have to reach young people sooner. When I talk to students in middle school and high school I tell them a cybersecurity career offers a chance to fight bad guys, yes. It rewards adrenalin junkies, yes. But it also makes you a caretaker, teacher and a hero all at once.

If in the 8th or 9th grade I had heard that pitch, who knows how much more quickly I might have gravitated to the career I love today. If today’s 8th or 9th graders hear it, I hope they’ll consider joining me.

Cybersecurity is more than lines of code. It’s keeping people and corporations safe and teaching them how to keep themselves safe. It’s what I do, and I want more company.

With enterprises moving to hybrid cloud environments, IT architectures are increasingly spread among on-premises infrastructure and public and private cloud platforms. Hybrid models offer many well-documented benefits, but they also introduce more complexity for securing data and applications across the enterprise. And this added complexity requires an increasingly diverse skill set for security teams. That’s …

With enterprises moving to hybrid cloud environments, IT architectures are increasingly spread among on-premises infrastructure and public and private cloud platforms. Hybrid models offer many well-documented benefits, but they also introduce more complexity for securing data and applications across the enterprise. And this added complexity requires an increasingly diverse skill set for security teams.

That’s a challenge, considering the growing cybersecurity skills shortage. In one recent study, 46% of organizations said they have a “problematic shortage” of cybersecurity skills – up from 28% just a year ago. One-third of those respondents said their biggest gap was with cloud security specialists.

Modern security teams require a broad and deep mix of technology skills, ranging from twists on traditional network and OS technology all the way to security on data itself, to address a rapidly evolving threat landscape. But they also need “softer” expertise, such as knowledge of compliance regulations and vendor-management skills. Driving this dual focus is the public cloud’s “shared responsibility model,” in which service providers and enterprises divvy up various levels of protection across the IT stack. These responsibilities – and the requisite skills – vary depending on the type of public cloud service.

Security Skills

Certain skills are required across all uses of public cloud. For example, you’ll need in-house expertise with encryption and data loss prevention controls for content-rich cloud applications. Your IT teams need to know (and track) where your enterprise data resides in the cloud, what offerings your cloud service providers offer for data protection, and most importantly, how to integrate data protection policies in the cloud with your own company policies. On a similar note, your team will need sophisticated identity and access management (IAM) and multifactor authentication, including tokenization, regardless of whether you’re deploying SaaS, PaaS, IaaS, or a combination of those services.

For SaaS, your security teams needs to be familiar with the various applications in use and how to use logging and monitoring tools to detect security violations and alert appropriate IT staff. Post-incident analysis is a critically important skill for mitigating active threats and improving your security posture for future threats.
For PaaS deployments, you will also need to add skills to ensure that native cloud applications are being developed with security built in at the API level. Adoption of open security APIs can help to bridge the gaps among proprietary cloud environments.

For IaaS environments, the ability to provision software-defined infrastructure carries the need for highly technical security professionals who can create policies for server, storage, and network security on AWS or other platforms. These skills include the ability to monitor usage of compute, storage, networking, and database services, as well as the ability to manage security incidents identified in the cloud platform you’re using.

Audit and Compliance Skills

Many of the softer skills needed for cloud success stem from the need for organizations to gain more visibility into hybrid environments that are becoming more complex as SaaS, PaaS, and IaaS services are cobbled together with each other and private clouds.

“The challenge has never been about security, but about transparency,” wrote Raj Samani, our Chief Technology Officer here at McAfee’s Europe, Middle East and Africa division, in a recent blog post. To gain visibility into the security posture of a third-party provider, IT teams should at a minimum secure audit rights to examine the provider’s practices and ensure the proper certifications are in place.

Audit rights can be built into a service level agreement (SLA) as a way to make sure the provider complies with corporate security policies and industry or government regulations. This is one reason why the ability to develop comprehensive SLAs with service providers is an increasingly important skill. IT and security teams will need to work together to negotiate terms that provide maximum protection and visibility into third-party services, to ensure that data, applications, and other components of your cloud environment are secure and compliant.

In addition to formal audits, security professionals require skills (and tools) for continuously monitoring compliance and threats across SaaS, PaaS, and IaaS deployments in two key areas: threats and applications. Starting with threats, achieving (or maintaining) visibility to specific threats across these environments so your organization has a full view of attacks is critical. That visibility needs to extend across endpoint, infrastructure, and network elements in order to recognize and respond to coordinated, multi-angle attacks.

Second, in application security experience with cloud access security brokers (CASBs) will help security professionals increase the visibility into user behavior and their needs across public cloud service providers.

That said, we see convergence between the need for application visibility, threat visibility, and data security for SaaS applications, so look for skills that bridge those three areas as you build an organization for the future. The same need for a blended skill set will increasingly be true as threat and application needs converge.

Organizations in highly regulated industries also need to devote resources to tracking how third-party providers handle data and applications to ensure compliance with industry-specific regulations. The same goes for global players: Requirements around data storage can vary dramatically by country, requiring in-depth knowledge of local regulations regarding where data resides and how it is transmitted for any geography in which you do business.

Skills for Hybrid: the New Private Cloud

Security practices for a private cloud deployment – which enables enterprises to keep data and applications under their control – would seem to be more traditional than public deployments. But the virtualization technology that is inherent in the private cloud model creates a need for new security skills beyond those for traditional on-premise environments. The first is understanding the difference in the infrastructure itself, for example between a traditional virtual machine and a framework like OpenStack.

Second, as organizations explore software defined networking (SDN), they see a need for more automation skills, as security policy must co-exist with the orchestration to fully exploit an SDN environment.

Third, the security operations center will need more network insight as the east-west traffic becomes more material to threat analysis.

These skills become especially important as virtualization expands beyond servers and into networks and storage.

That said, most private clouds are truly hybrid clouds – and these will be the default moving forward. Hybrid clouds demand cross-domain threat visibility, along with the skills across the various cloud types to prioritize and respond to them. This requires both a broader level of technical depth but also more cross-team facilitation and leadership to analyze and respond to critical threats. Revisiting the soft skills points made earlier, this also includes leadership not just within the organization but across the set of SaaS providers relevant to a given situation.

The Bottom Line on Cloud Skills

The takeaway for security leaders: It’s time to optimize the skills of your team to the different types of cloud. Public cloud security – spanning SaaS, PaaS, and IaaS environments – is (a) more about policy, audit, analysis, and teamwork skills rather than pure technical depth, and (b) will include more cross-domain skills than are required in the more silo’d on-premise structure. Creating the proper mix of skillsets for all of these scenarios will help build your confidence as you build out your hybrid cloud model.

Here are some tips for training – and retaining – good cloud security employees.

Every few months, concerns arise in blogs and in the media over the security of the devices we use every day. In most cases, these are rooted in simple misunderstandings or an incomplete picture of what is being done or how the technology operates. The Intel Management Engine (Intel ME) was the object of …

Every few months, concerns arise in blogs and in the media over the security of the devices we use every day. In most cases, these are rooted in simple misunderstandings or an incomplete picture of what is being done or how the technology operates.

The Intel Management Engine (Intel ME) was the object of one of the more recent cases, so we wanted to provide some additional context and data that might be helpful to the conversation.

First, we want to be very clear. Intel takes the integrity of its products very seriously. Intel does not put back doors in its products nor do our products give Intel control or access to computing systems without the explicit permission of the end user. In short, Intel does not participate in efforts to decrease security in technology.

Allow me to expand and share our approach to designing and implementing world class security for our customers.

The design of Intel ME incorporates established industry standards and security best-practices, and delivers tremendous advantages to a variety of computing environments. For example, Intel applies what is called the “least privilege” principle, where users and administrators only have the rights to get their job done. We apply this principle into the design of our processors so each component has the minimum – yet sufficient – privileges it needs to perform a given task, mitigating the chances that attackers could use privileges to access areas they shouldn’t.

However, as we are all painfully aware, today’s threat landscape produces countless security challenges every year, targeting systems in a variety of areas. Should an issue arise after a product has shipped, Intel has architected its products with the ability to receive security firmware updates that can counter these issues in the field, allowing for more rapid responses to new exploits and threats.

This is possible because the entire industry has adopted a design methodology for application processors that assembles sets of building blocks, each of which has a particular function such as media decoding, manageability or communications. These building blocks are complemented by an embedded microcontroller or processor, which drastically simplifies and shortens development cycles, but more importantly to this topic, it can enable the ability to upgrade and repair a product after it has shipped should an issue arise.

These capabilities and protections have made Intel ME a well-known and widely used technology that improves security for our customers, enabling them to better manage, repair and protect computers on their networks.

Intel goes to great lengths to validate the security of our products and actively solicit input as part of our validation process. We have a defined set of policies and procedures, and a dedicated team to actively monitor and respond to vulnerabilities identified in released products.

We believe our OEM partners and end customers deserve both the agility that firmware updates allow and the protection to safely accomplish whatever they wish to with our technology to keep their devices secure.

Big data introduces new wrinkles for managing data volume, workloads, and tools. Securing increasingly large amounts of data begins with a good governance model across the information life cycle. From there, you may need specific controls to address various vulnerabilities. Here are a set of questions to help ensure that you have everything covered. 1. …

Big data introduces new wrinkles for managing data volume, workloads, and tools. Securing increasingly large amounts of data begins with a good governance model across the information life cycle. From there, you may need specific controls to address various vulnerabilities. Here are a set of questions to help ensure that you have everything covered.

1. What is your high-risk and high-value data?

Data classification is labor intensive, but you have to do it. It just makes sense: The most valuable or sensitive data requires the highest levels of security. Line-of-business teams have to collaborate with legal and security personnel to get this right. A well-defined classification system should be paired with determination of data stewardship. If everybody owns the data, nobody is really accountable for its care and appropriate use, and it will be more difficult to apply information lifecycle policies.

2. What is your policy for data retention and deletion?

Every company needs clear directions on which data is kept, and for how long. Like any good policy, it needs to be clear – so everyone can follow it. And it needs to be enforced – so they will.

More data means more opportunity, but it can also mean more risk. The first step to reducing that risk is to get rid of what you don’t need. This is a classic tenet of information lifecycle management. If data doesn’t have a purpose, it’s a liability. One idea for reducing that liability in regards to privacy is to apply de-identification techniques before storing data. That way you can still look for trends, but the data can’t be linked to any individual. De-identification might not be appropriate for any given business need, but it can be a useful approach to have in your toolbox.

3. How do you track who accesses which data?

How you are going to track the data, and who has access to the data, is a foundational element of security. As your analytics programs become more successful, you are likely to be exposed to more sensitive data, so tools and storage mechanisms should have that tracking capability built in from the beginning. After all, if you don’t have the right tracking tools in place at the outset, it’s hard to add them after the fact.

4. Are users creating copies of your corporate data?

Of course they are. Data tends to be copied. A department might want a local copy of a database for faster analysis. A single user might decide to put some data in an Excel spreadsheet, and so on.

So the next question to ask yourself is this: what is the governance model for this process, and how are policies for control passed through to the new copy and the maintainer of this resource? Articulating a clear answer for your company will help prevent sensitive data from leaking out by gradually passing into less secure repositories.

5. What types of encryption and data integrity mechanisms are required?

Beyond technical issues of cryptographic strength, hashing and salting and so on, here are sometimes-overlooked questions to address:

Is your encryption setup truly end-to-end, or is there a window of vulnerability between data capture and encryption, or at the point when data is decrypted for analysis? A number of famous data breaches have occurred when hackers grabbed data at the point of capture.

Does your encryption method work seamlessly across all databases in your environment?

Do you store and manage your encryption keys securely, and who has access to those keys?

Encryption protects data from theft, but doesn’t guarantee its integrity. Separate data integrity mechanisms are required for some use cases, and become increasingly important as data volumes grow and more data sources are incorporated. For example, to mitigate the risk of data poisoning or pollution, a company can implement automatic checks flagging incoming data that doesn’t match the expected volume, file size or pattern.

6. If your algorithms or data analysis methods are proprietary, how do you protect them?

Protecting proprietary discoveries? That’s old hat. What’s easier to miss is the way you arrive at those discoveries. In a competitive industry, a killer algorithm can be a valuable piece of intellectual property.

The data and systems get most of the glory, but analysis methods may deserve just as much protection, with both technical and legal safeguards. Have you vetted and published a plan for securely handling this type of information?

7. How do you validate the security posture of all physical and virtual nodes in your analysis computing cluster?

Big-data analysis often relies on the power of distributed computing. A rogue or infected node can cause your cluster to spring a data leak. Hardware-based controls deserve consideration.

8. Are you working with data generated by Internet of Things sensors?

The key with IoT is to ensure that data is consistently secured from the edge to the data center, with a particular eye on privacy-related data. IoT sensors may present their own security challenges. Are all gateways or other edge devices adequately protected? Industrial devices can be difficult to patch or have a less mature vulnerability management process.

9. What role does the cloud play in your analytics program?

You’ll want to review the contractual obligations and internal policies of those hosting your data or processing. It’s important to know which physical locations they will use, and whether all those facilities have consistent physical (not just logical) security controls. And of course, the geographic locations may impact your regulatory compliance programs.

10. Which individuals in your IT organization are developing security skills and knowledge specific to your big-data tool set?

Over time, your project list, data sets, and toolbox are likely to grow. The more in-house knowledge you develop, the better your own security questions will be.

]]>https://securingtomorrow.mcafee.com/executive-perspectives/10-questions-securing-big-data/feed/0Continuing Momentum on the New and the Nexthttps://securingtomorrow.mcafee.com/executive-perspectives/continuing-momentum-new-next/
https://securingtomorrow.mcafee.com/executive-perspectives/continuing-momentum-new-next/#respondMon, 02 May 2016 15:00:05 +0000https://blogs.mcafee.com/?p=49380

New. Next. It’s how we defined the future of cybersecurity, and of our organization at the 2015 FOCUS Security Conference. It’s gratifying that since October customers have rewarded us with meaningful gains. In Q1, our revenue was up 12% year over year, and we continued strong growth in net income as a result of our …

It’s how we defined the future of cybersecurity, and of our organization at the 2015 FOCUS Security Conference. It’s gratifying that since October customers have rewarded us with meaningful gains. In Q1, our revenue was up 12% year over year, and we continued strong growth in net income as a result of our portfolio restructuring in 2015 (you can access our financial results here).

In our corporate products business our growth is driven by execution against the strategy we announced at FOCUS. We see organizations challenged by an expanding attack surface, a talent shortage, and an inability to detect and respond to threats quickly. As Chris described earlier, our strategy is to automate the threat defense lifecycle. This means we:

Concentrate our investment in Endpoint and Cloud as key control points, using advanced analytics and automation for detection and response to advanced threats

Partner with industry leaders in areas of their strength to the benefit of our joint customers

Fast forward to this week. Customers are asking me, “What does Intel’s restructuring mean for McAfee?” My answer is twofold.

First, Intel is transforming from a PC company to a company that powers the cloud and billions of smart, connected computing devices. The data center, cloud, and Internet of Things along with memory and integrated circuits, these are foundational growth engines for Intel’s future, and our restructuring puts us in a strong position to efficiently and effectively pursue the opportunities these technologies represent. Intel’s Q1 financial results confirm that the company is investing in the right areas. And of course, security is an implicit enabler of the cloud, data center, and IoT.

Second, McAfee is transforming as well. Our transformation started in 2015, when we made a number of changes across our portfolio, and our team—all in order to fully focus our energy on automating the threat defense lifecycle. Of course we’ll constantly work on being more efficient, but our central focus is to invest in the right technologies, and to follow a roadmap that results in the best outcomes for our customers and partners. In short, our strategy, plans, and execution capabilities continue, unabated. These changes are driving the results both we, and our customers, expect. As a result, we’re continuing to focus and execute against our plans.

One example of our steady focus on execution is that in Q1 we delivered 15 new releases across our software, appliance, and SaaS solutions. While these achievements illustrate strong execution by our organization, I’m even more excited about the increased rate of innovation I see moving forward. To be crystal clear—I see McAfee delivering more technology to the market in 2016 than we did in 2014 and 2015 combined. That acceleration is due to three factors: platforms, concentration, and you.

We spent a great deal of time and effort over the past few years building technology platforms that benefit customers and accelerate innovation. A great example is our recent Endpoint Security v.10 release, bringing a single, extensible agent platform to market. Customers on v.10 benefit from agent consolidation, improved security, and a better user experience. Likewise, we can innovate much faster by leveraging the agent framework to rapidly add ‘blades’ of functionality across the platform.

The second factor accelerating our work is concentration. When I joined the organization last summer our engineering team’s feedback was clear: they were spread too thin. By trying to do ‘a little of everything’ we weren’t giving our engineering teams the support they needed to do what ‘needed to be done.’ Improving the focus of our portfolio work—while increasing our total R&D staffing YoY—means we now are literally doing a few things…but doing each of them much better. Having personally seen the development work in process, I’m excited about what we are bringing to market this year. I see a much better user experience. I see better leverage across converged platforms. And I definitely see market-leading capabilities.

This brings me to our third, and final factor for success: you. Some may be surprised—but I think you, along with all of our customers, will be delighted with the progress and innovations we continue to drive. I, along with the teams I lead, are proud of the transformation we are driving to secure the computing experience. I look forward to sharing these innovations with you as they come to market. Innovations worthy of a new vision for a new industry, fully prepared for what comes next.

Research indicates the challenge has never been about security, but about transparency. The results are in: We have made zero progress since 2010. This was the year that IDC published results of a survey regarding cloud computing, and it found that security was the biggest barrier toward adoption. This statistic has found its way onto …

Research indicates the challenge has never been about security, but about transparency.

The results are in: We have made zero progress since 2010. This was the year that IDC published results of a survey regarding cloud computing, and it found that security was the biggest barrier toward adoption. This statistic has found its way onto pretty much every presentation about cloud computing since 2010.

Well the year is 2016, and a recent McAfee study asked 1,200 IT decision-makers what their biggest concern is; the most common answer was data breaches. What is remarkable about this is that the next question in the survey asked respondents to comment on what issues they have experienced, and they were not security related. In fact, the biggest issue was the difficulty in migrating services or data. Incidentally, this is likely to get worse as the use of platform-as-a-service and infrastructure-as-a-service become more ubiquitous.

This does beg the question as to whether the issue of security concerns is exaggerated. Indeed, those of you that have heard me speak know that I do not believe the term “cloud security” is even an issue. Firstly, the concept of cloud is misused. If we strictly adhere to the NIST definition as per NIST 800-145, then the number of service providers offering a cloud service is a lot smaller than Google results suggest.

One of the key characteristics of a cloud provider (as per NIST) is to provide offering on-demand self-service. In 2012, the website CloudSleuth investigated how many cloud service providers actually fulfilled this characteristic; its research found that “of the 20 companies we selected in this round, only 11 were fully self-serve, nine required some level of sales interaction, and astoundingly, three of those nine simply didn’t respond to our requests.”

It’s About Transparency

So the term “cloud service provider” in practical terms is simply a company offering computing resources over broad network access. (Thank you, NIST!) Now let’s move to the concern regarding security. The question is not whether a provider is secure — moving away from the argument over what constitutes secure or not. The challenge is how to determine the level of security of a provider. Therefore, the challenge has never been about security, but about transparency; in other words, how can you determine the security posture of a third-party provider without the ability to physically audit? Of course, annual audits have been the default tool of choice for many years now, but this model only provides a certain level of assurance.

Work within the Cloud Security Alliance (with whom we collaborated on this research) has begun to develop the necessary tools to provide the transparency so desperately needed. For example, STAR is a registry that documents the security controls deployed by providers. But perhaps the most encouraging tool is STAR Continuous Monitoring, which provides transparency of the security posture of a provider even after the auditor has left the building.

Perhaps for 2017 the concern of cloud security will not make it onto the opening slide of every presentation, and we can discuss the adoption of tools such as STAR that provide the requisite transparency into third-party providers. If there is concern about the security of a cloud provider, then the simple answer will be not to use them and to find a provider that satisfies the risk appetite of the end customer.

Sometimes the impact of an attack can extend well beyond the attack itself. McAfee’s five-year threats projection report predicted that ransomware would become a major growth area, given higher ransom “returns” achievable from organizations suffering the potential loss from paralyzed organizational systems. By Q1 of 2016, these predictions have already come true. From February onward …

Sometimes the impact of an attack can extend well beyond the attack itself.

McAfee’s five-year threats projection report predicted that ransomware would become a major growth area, given higher ransom “returns” achievable from organizations suffering the potential loss from paralyzed organizational systems. By Q1 of 2016, these predictions have already come true. From February onward this year, press headlines have revealed that numerous healthcare organizations in the United States and around the world have been hit by ransomware attacks. In some cases, these attacks were random instances of individual systems falling prey to commoditized ransomware. But in multiple instances, the attacks were targeted (see https://securingtomorrow.mcafee.com/mcafee-labs/targeted-ransomware-no-longer-future-threat). And in at least one case, a healthcare organization chose to pay the ransom.

It’s notable that the healthcare vertical — the sector that arguably holds the most extensive and non-changeable stores of our most personal, intimate data — arguably possesses one of the poorest track records for cyberattack preparedness. This poor reputation for preparedness has earned medical clinics, hospitals, and insurance providers the “soft target” label. But as in other industries, an assessment of vertical-specific cyberattack costs can lead to better IT security investments and more effective organizational processes that “harden” these targets.

Besides the paid ransom, what can be said about the other costs that are related to these attacks? Some of the major areas we should examine include:

Lost or stolen record(s) costs

Downtime costs

Incident response and audit/assessment services

A great resource for gauging the value of breaches is the 2015 Ponemon Institute’s Cost of Data Breach study. The report assesses the differences in cost per stolen or lost record by industry, including a healthcare industry approximation of $363 per record.

Healthcare organizations face particularly high stakes in dealing with ransomware because disruptions in availability can jeopardize the core mission of the organization. Surgeries and appointments will be delayed, lab results will take longer, and patients will have to travel to other facilities — all inconvenient results of systems that were impacted.

Sometimes the impact of a ransomware attack can extend well beyond the attack itself. A study conducted by the AC Group concerning downtime cost calculations of electronic healthcare records gives us an indication. The study assessed several cyberattack factors, including the additional time spent to perform tasks manually and to update records after the systems were up again. The study established an average cost of $488 per hour per physician.

Not every healthcare organization can afford a dedicated incident-response team or an IT security team that executes ongoing assessments of the organization’s assets and applications. The reality is that most healthcare organizations hire an external company for these services after a breach.

Case In Point

Let’s review an example in which a healthcare organization suffered a ransomware outbreak that affected a small number of endpoints and some network data.

The type of breach, extent of damage, and management focus shape the nature and scope of the incident-response engagement. In a ransomware case, the organization would be most interested in determining the scope of the incident (how widespread it is), which systems are targeted, which files are encrypted, and how the attacker breached the organization.

A team of two incident-response consultants onsite with remote expertise support, management overhead, and reporting will easily require a 10-day assignment. Based on our experience, that effort would result in an engagement of $75,000 to $90,000 per incident response. In the case of a compromised application or asset, an audit/assessment would be required, as well as another quick check once the fix was complete. That would easily cost another $20,000 to $25,000.

The following table is a rough approximation of the additional cost and damages for an organization in this scenario.

However, this table shows an incomplete list of costs. On top of these operational impacts are considerations that could include:

Possibly paid ransom

Legal costs

Notification costs

Restoring impacted assets costs

Internal/external communications costs

Overtime costs for IT personnel

Damage to reputation and brand

Regulatory penalties and fines

Increased compliance and audit costs

Lost trust from patients

A ransomware incident as we have described can easily result in a total cost between $700,000 and $1.5 million, depending on the size of the hospital, the impact of ransomware, and whether backups were available.

The Ponemon research notes factors that lower the cost per stolen, lost, or encrypted record. For example, organizations can lower the cost per record by $5.50 by engaging the organization’s board in an effort to prepare for potential attacks. Cybersecurity insurance also appears to reduce damage per record by $4.40. And although few healthcare organizations have budgets for their own dedicated incident-response teams, the engagement of “shared” incident-response teams appears to lower the financial impact by $12.60 per record.

Healthcare organizations should take information security as seriously as they take their mission to provide patients the best possible care. Securing information must have the highest priority so that threats such as ransomware cannot impact the availability of critical systems.

The indictment of five Iranian hackers three years after the fact raises the question: Is naming them a worthwhile part of the threat defense lifecycle, or is it a meaningless distraction? This week, the US Justice Department announced an indictment has been prepared for five Iranian hackers allegedly responsible for the breach of systems at …

The indictment of five Iranian hackers three years after the fact raises the question: Is naming them a worthwhile part of the threat defense lifecycle, or is it a meaningless distraction?

This week, the US Justice Department announced an indictment has been prepared for five Iranian hackers allegedly responsible for the breach of systems at a small Rye, NY, water dam. This development prompts two lines of thought at McAfee: Is this after-the-fact attribution, also called “name and shame,” a worthwhile part of the threat defense lifecycle, or is it a meaningless distraction?

Let’s try and explore both sides.

Attribution Helps

Information security and privacy practitioners have been long warning against the potential impact of Internet-driven attacks against critical infrastructure such as the recent incursions into the Ukraine power grid where 80,000 were without power for six hours. There was also the foundry incident in Germany where a cyberattack inflicted greater than $1 million in physical damage to the facility. Our growing dependence upon Internet-enabled devices to ensure operational efficiency and reduce costs has created opportunities for our critical infrastructure to be subjected to remote manipulation and disruption.

The Justice Department indictment will name five hackers who “probed” the Bowman Avenue Dam using a cellular modem attached to the dam’s sluice gate. The DoJ “naming and shaming” indictment drew dozens of top-tier publications and networks to respond within hours of the news, thereby raising public awareness that our use of the Internet potentially increases critical infrastructure risk.

In theory, this in turn creates a teaching moment, so while respecting the need for operational efficiency that the Internet offers, as a society we become more mindful that enabling that efficiency must be tempered with security and privacy considerations.

Attribution Is Irrelevant

Who took the cookies from the cookie jar?

Iranians took the cookies from the cookie jar!

Who, me?

Yes, you!

Couldn’t be!

Then, who?

If someone has taken your cookies from the cookie jar via the Internet, knowing who it was after it’s long over doesn’t help you at snack time.

Reflecting upon the length of time it took to determine attribution to Iran, Sen. Steve Daines (R-Mont.) commented, “It is downright shameful that it has taken President Obama three years to denounce Iran for a malicious cybersecurity attack on our country.”

Partisan rhetoric aside, what is the actual value derived three years later? The attackers can deny involvement as digital attribution is a difficult thing to prove. The attribution doesn’t make any other critical infrastructure networks any more secure, the indicted are unlikely to ever be arrested or prosecuted, and a titillating headline serves only to distract us from the core problem: It is extremely likely that other critical infrastructure networks around the world are just as vulnerable as the Bowman Avenue Dam.

This is akin to a driver taking his eyes off the road to look at the car crash that caused a highway traffic slowdown — he has become inherently part of the problem by not focusing on the task at hand.

Is there a happier medium?

At McAfee, we believe these teaching moments should be focused on keeping our eyes on the road. Knowing who bad drivers are may help you avoid a future crash, but it isn’t paramount immediately after you’ve just been wrecked. You’ve got different problems to resolve.

Let’s look at this particular situation from the teaching moment standpoint:

Why was the control system for the sluice gate connected directly to a cellular modem?

Could the control system be separated from the Internet by a firewall?

Could strong authentication mechanisms be employed rather than using a fixed password?

Could the modem itself be configured in a way that either limits who could connect or how its services are advertised to the Internet?

Most importantly, could we create a checklist that other technically limited critical infrastructure organizations could use to avoid their own disaster at snack time?

A revolution in human-machine teaming for security operations is at hand. Cybersecurity has two great resources that work well together — experienced security ops personnel and learning machines. Machines can work at the speed of electrons and process enormous quantities of data, but they are challenged when dealing with unforeseen scenarios. Human judgment and experience …

A revolution in human-machine teaming for security operations is at hand.

Cybersecurity has two great resources that work well together — experienced security ops personnel and learning machines. Machines can work at the speed of electrons and process enormous quantities of data, but they are challenged when dealing with unforeseen scenarios. Human judgment and experience cannot be replicated by machines, but humans struggle to find patterns in massive data sets and they operate in minutes, not microseconds. For us to be truly effective as an industry, we need to deliver solutions that combine human and machine working together to fend off cyberattacks that can multiply and adapt in microseconds.

We are facing a significant labor market shortage in cybersecurity, both in numbers and experience. At the same time, there are traditional fears about automation and machine intelligence. One is that people will be replaced by machines, and another is that the machines will create enormous messes by compounding poor decisions. In this case, we are talking about using the machines to amplify the effectiveness of security operations and incident-response teams. Technology is not replacing people, but in the spirit of the best teams, each is working to its strengths.

One example of this is computers and chess players. In 1997, an IBM supercomputer beat a human chess grandmaster for the first time. Chess has a large quantity of data and a lot of patterns, which plays well into the strengths of the machines. However, in 2005 a couple of amateur chess players augmented with three PCs beat a whole range of supercomputers and grandmasters. The human/machine team was better than either alone.

In cybersecurity, we are gathering vast amounts of data, and there is an assumption that with increased visibility, enough data, and the right algorithms we will be able to predict threats. However, cyberattacks are not deterministic, as they contain at the core a human who can be innovative or random in his approach, and visibility does not give you insight into your adversary. Algorithms and analytics on their own cannot comprehend the strategic nature of the adversarial game that is being played against the cybersecurity bad actors.

So technology will not be replacing security professionals anytime soon, but it does bring tremendous advantages to the defense. Shared threat intelligence helps prevents attacks from being used over and over again, or from propagating rapidly throughout your network. You need a learning machine to detect and contain attacks at the speed of light, while humans work to mitigate the problem and develop long-term solutions.

With the increasing number of targeted attacks that are executed only once, threat intelligence might not help. The same is true of zero-day exploits or new attack types. The machines won’t have rules to deal with this, but they can help filter the alerts and correlate actions to raise the alarm to their human colleagues sooner than a human acting alone.

The machine revolution is coming, but not the way Hollywood movies portray it. Machines are coming to be the best teammate you could ask for.

Intel is one of the world’s leading technology companies. One of our important objectives is to bring a protected and secure computing experience to the world. Accordingly, we have a deep understanding of the vital role strong encryption plays in protecting both privacy and security. Today, Intel filed an amicus brief in response to the …

Intel is one of the world’s leading technology companies. One of our important objectives is to bring a protected and secure computing experience to the world. Accordingly, we have a deep understanding of the vital role strong encryption plays in protecting both privacy and security.

Today, Intel filed an amicus brief in response to the U.S. Department of Justice’s attempt to compel Apple to create security-disabling software for an iPhone involved in an investigation. Admittedly, the case presents difficult choices, depending on how you view the role and importance of innovation in an increasingly connected world.

Intel fully supports law enforcement’s goals to protect national security and the American people. Indeed, recognizing the importance of this mission, we comply with lawful demands for information from government agencies.

However, companies like ours are in business to improve the security of our products, and to safeguard the digital lives of those who use them. It’s an unprecedented step for the government to require a company to develop technology that weakens security in a commercial product. Such a move chills innovation. Intel believes we need to accomplish safety, security, and personal privacy. We also believe we need a greater dialogue among and between all stakeholders. We’re eager to be part of that conversation.

It’s great to see the White House leaning forward and taking action to improve our national Cyber Security posture by announcing a Cybersecurity National Action Plan (CNAP) and issuing an Executive Order to create a permanent Federal Privacy Council. Both initiatives will improve the national posture on cybersecurity and privacy – issues McAfee believes are …

It’s great to see the White House leaning forward and taking action to improve our national Cyber Security posture by announcing a Cybersecurity National Action Plan (CNAP) and issuing an Executive Order to create a permanent Federal Privacy Council. Both initiatives will improve the national posture on cybersecurity and privacy – issues McAfee believes are closely related.

One CNAP element I’m particularly passionate about is workforce development. I have frequently called for the creation of a ‘cyber corps’ to address the growing cyber skills shortage, so I am pleased that the CNAP includes funding for a CyberCorps Reserve program. A $62 million investment will fund scholarships for Americans who want to obtain cybersecurity education and serve their country in the civilian federal government, as well as increase the number of institutions that offer cybersecurity programs. This is a good first step. To realize the vision, it will take more investment both by government and the private sector.

The security industry has talked at length about how to address the barrage of hacks and breaches we face, but we haven’t brought enough urgency to solving the cybersecurity talent shortage. More than 209,000 cybersecurity jobs in the United States alone were unfilled last summer, and cybersecurity experts estimate there will be 1.5 million more jobs than takers by 2019. McAfee alone has more than 250 available security jobs in the United States, so we understand the criticality of creating a robust 21st century workforce.

Security and privacy go hand in hand, so I am pleased to see the CNAP specify the creation of a Federal Privacy Council. As the principal interagency forum tasked with improving the privacy practices of federal agencies, the Council will have a major impact on both privacy and security initiatives. This is a significant milestone in efforts to preserve America’s core value of privacy.

mcAfee has frequently commented about the essential link between privacy and security. To put it simply, it takes data to protect data. To provide robust cyber protection, government and the private sector will need to process personal data and share some of that data with other organizations. At the same time, we need the right oversight and controls to help reassure individuals that data relating to them will not be used inappropriately.

We look forward to working with the new Federal Privacy Council to promote privacy while also enabling businesses and government agencies to pursue the innovative use of data. And we’re enthused about working with government and industry to support the development of a CyberCorps, which could operate as a type of Cyber National Guard. The concept deserves our highest attention, and the federal dollars dedicated to it will be extremely well spent.

No organization will ever be impervious to breaches, but efficient organizations can lower their overall spend. The intense demand for trained information security and privacy practitioners is reflective of the convergence of technology, productivity, and profitability. CIOs and CISOs that balk at enabling more mobile, cloud, and Internet of Things (IoT) tools not only find …

No organization will ever be impervious to breaches, but efficient organizations can lower their overall spend.

The intense demand for trained information security and privacy practitioners is reflective of the convergence of technology, productivity, and profitability. CIOs and CISOs that balk at enabling more mobile, cloud, and Internet of Things (IoT) tools not only find themselves in a cultural conflict, but as more and more devices become IP-enabled, reluctant security practitioners will also find themselves at odds with the business or mission of the organization.

For instance, Boston Consulting Group indicated that the remote cardiac monitoring market in the US alone would eclipse $1 billion in 2016, a specific example of the convergence between technology, productivity, and profitability. The ability for a doctor to remotely adjust a pacemaker without a patient visit or in an emergency situation has a profoundly positive impact on patient care. Information security and privacy practitioners simply must find a way to enable this kind of technology while encompassing the risk as best they can.

At the same time, there is a systemic personnel problem. There are simply far too few trained information security and privacy practitioners available to organizations; the baby boomer generation is taking decades of experience with it into retirement; and the prospects for replacing them are bleak. The 2015 (ISC)2 Global Information Security Workforce Study estimates two global labor gaps: the gap between the existing workforce and what the respondents’ companies are funded to hire (600,000 workers), and the gap between the existing workforce and what those companies believe the need is (1 million further workers). As more devices become IP-enabled for the first time and need to be incorporated into an organization’s information security and privacy posture, the tax upon practitioners will become even more pronounced. Also, for the first time in the (ISC)2 study, practitioners have become acutely aware that the premise that they’ve used for the last 20 years — buy unique tools for each specific IS and privacy problem — has created an unwieldy “sprawl in security technologies.”

All of these conditions — demand, expanding IP footprint, convenience, cost reduction, and insufficient trained practitioners — create an untenable competition between business or mission enablement and security. Evidence of this competition can be seen in the dramatic increase in time from breach detection to remediation. The (ISC)2 study results show a troubling trend indicative of a workforce stretched by demand and sprawl, as indicated in the chart below:

It is for these reasons that dramatic improvements in both efficiency and efficacy should be the goal of any decision IS teams are considering. The ability to get to solid results quickly is the only way that teams can compete with the mathematical problems described above. Any decision regarding methodology, vendor, product, or service that doesn’t demonstrably increase efficiency and efficacy is a bad decision.

Organizations that invest in ensuring that their infrastructure becomes more streamlined, automated, interoperable, resilient, sprawl-reducing, and focused will stay ahead of the math and enjoy the most important results.

No organization will wind up impervious to breaches, but efficient organizations will lower their overall spend by consolidating the number of vendors, tools, and services they use; reduce their labor-hour costs by ensuring automated means of execution; reduce the number of events that operators and analysts need to respond to manually; and shrink the hours operators and analysts spend by reducing events requiring follow-up to fewer, more noteworthy events. The time between breach and detection and the time between detection and remediation will drop measurably, ensuring that breaches don’t have a material effect on the business or mission of an organization.

Over the next few weeks, I’ll explore several techniques that will allow organizations to improve their efficiency and efficacy and reduce the labor hours and per-hour costs associated with operations.

This is Mike. Mike works in the security industry and is concerned about his privacy. Mike wonders why people sign up for Facebook apps so quickly. Mike doesn’t sign up for Facebook apps without a quick read of the terms of agreement. Mike is smart. Be like Mike. A few months ago, people on Facebook …

Mike works in the security industry and is concerned about his privacy.

Mike wonders why people sign up for Facebook apps so quickly.

Mike doesn’t sign up for Facebook apps without a quick read of the terms of agreement.

Mike is smart.

Be like Mike.

A few months ago, people on Facebook were up in arms over a perceived breach of their privacy (which turned out to be a hoax), so they were posting the following status:

“As of September 29, 2015 at 10:50 p.m. Eastern standard time, I do not give Facebook or any entities associated with Facebook permission to use my pictures, information, or posts, both past and future.” And so it went on for another 100 words or so. Aside from the fact that this was in response to a hoax, there was quite a lot of noise made about this supposed violation of their privacy. But my question is, how quickly do they give up their privacy when presented with a new app or new technology?

Fast forward to last week, and many people were creating posts with an app that does a cute summary of their actions or personality, accompanied by a stick figure. Now this app, Be Like Bill, has a pretty good privacy policy and terms. They clearly state, in a brief and readable format, that the information collected is only used to generate the post, will not be stored on the server, and will not be provided to other companies. The only clause that elicits any concern allows them “to use, edit your content with our service permanently, no limit and no recover.” I understand that this makes it a lot simpler to run the site without having to respond to concerns or requests to delete a post, but it does significantly reduce your options.

Many of these fun quizzes or posts go through everything that you have done on Facebook. That should raise a red flag about the potential privacy issues, but millions of people install them and trade their privacy for a brief moment of fun. Unfortunately, there’s a very fine line between an app that’s fun and one that can be damaging. Most fall in the fun category and ask for a limited set of information. However, at least one recent app asked for a bit more.

If you install that app and give permission, the developers can harvest your:

Name, profile picture, age, sex, birthday, and other public info

Entire friend list

Everything you have ever posted on your timeline

All of your photos and photos you are tagged in

Education history

Hometown and current city

Everything you have ever liked

Your IP address

Info about the device you are using, including browser and language

I am not saying that this particular app is malicious, but no quiz or app should need access to this level of detail. They may or may not promise in the user agreement not to store it, use it, or sell it, but either way you have lost control of your data and associated privacy. It is much better for apps not to ask for it in the first place.

Harmless Or Harmful?

As a consumer, how do you tell the difference between fun and potentially damaging? Look closely at what the app is asking for, and think about the potential risk of that data. Consumers are the big target of these apps, and where security and privacy are concerned, people are always the weakest link. This same info could be used to guess passwords, security questions, or even impersonate someone for a bit of live social engineering, all of which have serious business implications.

Now, people have not been reading terms of agreement for decades, and they are not likely to start anytime soon. What I would like to figure out is why didn’t the Facebook privacy hoax rampage provoke concern over other apps? Or more important, what do we need to do differently so that data requests by every app, device, and Web page are treated with appropriate levels of privacy concern? Because at this rate, it is only a matter of time before we might as well just publish everything and save our adversaries the trouble

How to identify risks, understand downstream effects, and prepare for incidents. You’ve got your organization protected as best you can, but what about your supply chain? Like any type of chain, the security in your supply chain is only as good as the weakest link. Can malicious software find its way into your company or …

How to identify risks, understand downstream effects, and prepare for incidents.

You’ve got your organization protected as best you can, but what about your supply chain? Like any type of chain, the security in your supply chain is only as good as the weakest link. Can malicious software find its way into your company or your products through your supply chain? Can a weak downstream link lead to an opportunity for exploits that take advantage of your intellectual property? Or can disruption of one link disrupt your profitability?

Almost every business is dependent on far-reaching supply chains, and we have already seen some serious cyber incidents from security lapses. Historically, supply chain professionals focused on protecting links through supplier qualification, insurance, and physical security, protecting against risks ranging from theft to delayed deliveries. While those practices remain essential, today’s supply chain professional must add a focus on information security to their defensive strategy. New efforts must focus on protecting intellectual property, defending against hacktivism and espionage, detecting embedded malware, and ensuring continuity of operations.

Managing security risk in your supply chain is new, but you have probably already been through a similar process with quality. First, you identify and classify each of your suppliers with regard to what they do now and the critical aspects of their contractual obligations. Then you define a clear baseline of security and privacy requirements for the group. Standards tools such as ISO/IEC 27036 (information security for supplier relationships) can provide a solid baseline.

With a baseline established, the next step is regular validation of security and privacy controls. Validation can be challenging, full of competing acronyms, contractual issues, and resource constraints. Doing this for every supplier in your chain is unrealistic for most companies, so it is important to prioritize. And fortunately there are standards and processes emerging for various industries that range from self-assessment to third-party certification.

One example is the Cloud Security Alliance’s Security, Trust, and Assurance Registry (STAR) for various cloud computing offerings. STAR is a straightforward three-level certification, accompanied by a publicly accessible registry. STAR provides important information about product certifications, including the date, country, term, and level of certification. Decisions can be based on a simple cost and risk comparison, or on more thorough analysis of the strengths and weaknesses of current or potential suppliers. Analogous to ratings systems in other industries such as banking or tourism, STAR requires little technical training to understand the difference between level 1, 2, and 3 certifications.

These certifications are also valuable to your supplier. Suppliers can readily compare themselves to their competitors and build a strategic perspective of their own organization’s risks and opportunities.

From your customers’ perspective, your company includes the extended network of people, processes, and partners involved in delivering products and services. You cannot “go it alone” or dismiss these issues as limited to supply chain experts.

Validating the supply chain, whether it is for product quality or information security, is now an essential part of your success. You need to identify risks, to understand the potential downstream effects of a security breach or cyberattack, and to prepare response plans so that you can respond quickly to an incident. The alternative could be a serious loss of reputation, customers, and profits.

As French safety officials pieced together information following the attacks in Paris at the hands of ISIS, there’s no doubt they meticulously tracked witnesses interviewed, items recovered from the crime scenes and other helpful notes for the ensuing investigation. While the U.S. has robust security practices, often local police are still writing field interview notes …

As French safety officials pieced together information following the attacks in Paris at the hands of ISIS, there’s no doubt they meticulously tracked witnesses interviewed, items recovered from the crime scenes and other helpful notes for the ensuing investigation. While the U.S. has robust security practices, often local police are still writing field interview notes by hand and thus would be sifting through stacks of notecards full of information – hardly helpful for putting the pieces together until they’ve been logged in a database. The private sector is rapidly developing solutions for law enforcement, however, and when FirstNet is built out, there will be a network to unify those communications – safely and securely, if current plans hold.

Here are just two advances that will greatly enhance law enforcement’s communications efforts. Haystax Technology recently introduced its Mobile Field Interview application, enabling public safety personnel to capture field interview (FI) information from an iOS or Android device. Rather than relying on cumbersome, inefficient paper notecards, law enforcement officials can conduct these FIs through the app and sync the resulting notes to the cloud. Indexed FIs become viewable and searchable by other members of the organization, resulting in increased information sharing and efficiency.

Another product unveiled recently is Mutualink’s Wearable Smart Gateway (WSG), the world’s first wearable for first responders. The WSG, powered by the tiny, low-power Intel® Edison chip, is the first in a series of devices emerging from the Internet of Public Safety Things (IoPST). This palm-sized, high-performance multimedia gateway will reduce response times and help first responders coordinate more effectively.

Solutions like Mutualink’s WSG and Haystax’s Mobile Field Interview will soon have a home with the development of FirstNet, a first-of-its kind broadband network dedicated to public safety, providing a single, interoperable platform for emergency and daily safety communications. The network will enable public safety officials and first responders to send and receive data, video, images and text – all on one shared network. This exclusive network will provide a shared operating picture and increased situational awareness, further improving emergency response times and increased efficacy during emergencies.

Our first responders have an incredibly difficult job as it is; their communication and coordination shouldn’t be hampered by outdated technology or an unreliable, insecure network. Connectivity and speed are critical; so is security. We need to ensure FirstNet is built with security in mind from the ground up, for without security, the network’s effectiveness is severely compromised. It’s possible to engineer both speed and reliability into FirstNet, and that’s what we need to do. Then new apps and products coming to market will be even more valuable, as emergency responders will have the benefit of a robust, secure network. The private sector is great at innovating, and it’s good to see that innovation directed toward law enforcement. Now we just need the network to bring it all together – securely.

Something malicious this way comes. A fast reaction can reduce your risk. You have just detected an attack and alerted the incident-response team, one of 38 investigations you will likely conduct this year. Half of these are probably generic malware attacks, but the rest are higher-risk targeted attacks or data breaches. Now you are working …

Something malicious this way comes. A fast reaction can reduce your risk.

You have just detected an attack and alerted the incident-response team, one of 38 investigations you will likely conduct this year. Half of these are probably generic malware attacks, but the rest are higher-risk targeted attacks or data breaches. Now you are working against the clock and against the potentially exponential rate of further infections, trying to get your systems back to a known state.

What happens if you cannot stop the attack soon enough? We have all seen the immediate and public effects of a security breach, but what happens afterwards? You have isolated the machines that you think are infected and begun the laborious process of cleaning them. Or you buy new machines and operate completely separate networks while you carefully scrub and transfer data from the old to the new. Or maybe you find yourself so deep in a hole so quickly that you cannot dig your way out, so you just work around the infected machines.

These and other security scenarios are playing out at organizations around the world. Attackers are shifting to focused, designer attacks targeting specific companies and individuals. They have been testing the behaviors of preventative technologies and are learning how to get through security defenses and minimize detection. A fast and active incident-response capability is now an important part of your overall security plan.

Our research underlines the importance of responding effectively within the first hour. You are probably already struggling with the volume of security data. There is so much data flowing in from your existing tools that it takes a long time to analyze it, delaying your response. Or you have made compromises on the data being collected, and you are missing important indicators of attack.

Risk Reduction

Speeding up incident detection and gaining an understanding of the potential impact and scope are the most important tasks in reducing risk. What you need is the ability to perform live investigations. Using historical data as the foundation, automated endpoint collectors can learn the system’s state and context, watching for any changes to network flow, registries, or processes that may indicate an attack. This also includes deleted files or dormant components, tricks that are commonly used to evade detection.

Quickly alerted to an attack and its potential scope, the next important tasks are taking action to minimize the impact, identifying which assets remain vulnerable, and updating security controls. When the endpoint collectors detect an attack event, they send alerts to security central. But you can also configure them to trigger other actions, depending on the nature of the alert. Do you want additional data collection, temporary changes to user privileges, or some other custom action that will assist the response team?

You can also trigger an investigation across all systems in the organization, greatly expanding the scale of your response. You no longer need to make assumptions about the attack’s progress, which can result in an artificially limited view of the affected systems. If you cannot scale the response fast and far enough, you could allow the criminals to work freely in one area while you try to contain just a portion of the infection.

Time and scale are the prime limiters of incident response. Greater automation of data collectors, security triggers, and predefined reactions helps you detect sooner, respond faster, and hunt farther than you could before.

How to make sense of the market for stolen information. Personal data about you, me, and, most importantly, your customers is being openly sold via online marketplaces. Stolen data has become a mature commodity market, not unlike oil or metals, with supply-driven price fluctuations, different qualities of product, and a range of values and scarcities. …

Personal data about you, me, and, most importantly, your customers is being openly sold via online marketplaces. Stolen data has become a mature commodity market, not unlike oil or metals, with supply-driven price fluctuations, different qualities of product, and a range of values and scarcities. This market has expanded far beyond credit card numbers, mirroring the growth of big data in legitimate organizations.

We recently published a report titled The Hidden Data Economy, detailing key types of information that are available and how much they cost. Since you cannot trust criminals, some of these marketplaces may be scams or may be using reputable brand names to perpetrate a different type of fraud, but that does not reduce the overall impression of a vibrant cybercrime economy.

Credit card numbers and other payment information are the most common stolen data, with the lowest price point and widest range of values. Large scale thefts, the increasing use of chip-and-PIN cards, and rapid response from credit card companies have driven down the value of basic card information. After a big data breach floods the market with new numbers, they may go for only a few dollars each.

However, add in some additional data and the price goes up quickly. Combine payment card information with date of birth, which is a common fraud prevention question, and the value jumps to $15 in the US and about $30 in other major countries. Add in the billing address and the username and password for the account, and the price goes up to between $30 and $45. Many options are available for the discerning criminal, including issuing bank, country, available balance, maximum withdrawal limit, and usability at an ATM, store, or online.

The Stolen Data Value Chain

Credit card numbers are the base metal of stolen data markets — widely available but not worth that much without additional info. Moving up the value chain are account login credentials for payment accounts or banking services, which appear to be priced based on the balance in the account. For less than 5% of the account balance, you can purchase login information for an online payment account. More valuable are full banking services, especially those with the ability to transfer funds to US banks, which sell for about 8% of the balance. Some sellers offer replacements if the purchased account no longer has the advertised balance, while others rely on reputation rankings, purchase feedback, and other common tools of online shopping to reassure customers.

High demand and automated theft operations have made the market for premium content account information attractive and apparently profitable. Whether you want to read some comic books ($0.55), watch online video (up to $1), get access to premium cable channels ($7.50), or watch live professional sports ($15), stolen login credentials are readily available. In an ironic twist, you can even buy stolen credentials to Dark Web markets.

Rare and more specific are logins for individual companies, open vulnerabilities to valuable systems at banks and airlines, access to industrial machines or critical infrastructure, and even stolen enterprise datasets. Just like rare art or jewels, this type of stolen data does not typically carry a direct price tag; instead, value is negotiated between the buyer and seller. Also like stolen art, the prospect of commissioned thefts is probably not very far away, if it is not here already.

With such a significant number of data breaches making headlines over the last two years, it’s not surprising to see so much consumer data for sale. But the wide variety of data and related profit-making schemes never cease to surprise those of us monitoring the Dark Web on an ongoing basis. Beyond the aforementioned stolen data types, you can also find personal identities, social media access, email accounts, medical information, and much more.

I know from direct conversations with organizations that there is quite a bit of apathy on the subject of cybercrime. Even today, after all the headlines, cybercrime still seems intangible. Too many of us still fail to realize cybercrime is simply the digital evolution of crime, and given the widespread apathy, the emergence of an increasingly established hidden data economy is the destination at which we are bound to arrive. It’s a constant and important reminder for those of us committed to making our connected world safe for our connected lives.

]]>https://securingtomorrow.mcafee.com/executive-perspectives/customer-data-worth/feed/0What’s.Next? Taking you on a journey to the futurehttps://securingtomorrow.mcafee.com/executive-perspectives/whats-next-taking-journey-future/
https://securingtomorrow.mcafee.com/executive-perspectives/whats-next-taking-journey-future/#respondTue, 03 Nov 2015 01:20:05 +0000https://blogs.mcafee.com/?p=45972

The threats of tomorrow are more than malware and malicious files. They are multifaceted attacks, using a wide range of techniques and vectors. At FOCUS 2015, we explored where attackers are going, how the environment you need to defend is changing, and what we are developing and delivering to help you deal with these adaptive …

The threats of tomorrow are more than malware and malicious files. They are multifaceted attacks, using a wide range of techniques and vectors. At FOCUS 2015, we explored where attackers are going, how the environment you need to defend is changing, and what we are developing and delivering to help you deal with these adaptive attack techniques.

Attacks are coming in from many new vectors, including hardware and firmware, virtual machines, supply chains, and of course the legion of cloud applications and services. Motivations are expanding to fill almost every conceivable niche, from financial gain to extortion, business disruption, blackmail, competitive intelligence, or simply wanting to watch the world burn. Our adversaries refuse to play by our rules, so we need to change the way we think about defending this new environment. Static security solutions for the endpoints, data center, and network are no longer sufficient to deal with adaptive attack techniques, cloud-based threats, and whatever else the cybercriminals will come up with to try and steal your data or disrupt your business.

One of the most significant changes to corporate computing over the last decade or more has been the rapid growth and adoption of cloud computing and storage. Efficient and elastic computing, application delegation, SaaS (really Anything-as-a-Service), IoT, and broad connectivity are supporting increased mobility and agility, which in turn is driving furious amounts of innovation. We don’t want this to stop, but the advantages that clouds have brought to businesses and security defenses are also available to attackers. Public clouds not only mean softer targets, but also provide virtually unlimited and anonymous compute and network resources for attacks. Something-as-a-Service means that businesses do not always have the details about their cloud service infrastructure, and has contributed to the emergence of cybercrime-as-a-service. And even private clouds are not safe, as their elasticity helps erode perimeters while introducing new forms of privilege escalation.

Gaining the advantage in this environment means fundamentally changing our approach to security, retooling and rebuilding to make sure that we can comprehend and respond to the threats of tomorrow. The cloud enables scale and agility like we have never seen before, giving us a fighting chance against these complex attacks. We need to think about data differently, examine how the pieces relate to each other, and how we use the information to triage and better assist the human security responders. Accurate intelligence generates better security, and so we are leveraging the cloud to deliver analytics at the scale and speed necessary to make a difference. This means gathering local and global telemetry, from internal and external sources, on an industrial scale. It means dynamically examining code to locate malicious instructions before they can be executed. It means combining and classifying the data and feeding it to next-generation analytics engines with machine-learning capabilities to build a comprehensive, real-time picture of threats, targets, and recommended responses. These and more are processes that would be impractical to run on premises.

Does this mean that on-premise security solutions are dead? Maybe sometime in the future, but for now the combination of cloud scale and local customization are a powerful asset. The cloud can easily work with data from multiple sources, for example correlating activity at one financial institution with an attack on another. On-premise tools are better positioned to work with private intelligence, identify artifacts unique to your environment, or work with your standard IT build. At the same time, we need to do the heavy lifting to shelter you from increasing complexity, so that you can focus on your business with security defenses that are tailored to your organization.

This is the philosophy behind McAfee Active Response and Endpoint Security; ensuring that our responders have the capabilities to respond to an actively changing threat landscape. It is unreasonable to assume that any product from any security vendor will be able to provide a one-size-fits-all solution to these threats or the next ones. So we are empowering our customers to act in their own defense, with the intelligence, analytics, and protections you need to protect your assets, detect emerging threats, and correct vulnerabilities before you can be compromised.

The security industry has, for years, been developing technologies to secure our applications and operating systems. 2015 was the year, however, I feel hardware vulnerabilities truly became real. We saw multiple instances of attackers using hardware, firmware, and BIOS as an element of their attack, from Rowhammer exploiting DRAM to the Equation Group showcasing vulnerabilities …

The security industry has, for years, been developing technologies to secure our applications and operating systems. 2015 was the year, however, I feel hardware vulnerabilities truly became real. We saw multiple instances of attackers using hardware, firmware, and BIOS as an element of their attack, from Rowhammer exploiting DRAM to the Equation Group showcasing vulnerabilities in HDDs/SDDs. Despite our extraordinary efforts, attackers can effectively render what we do at the upper layers of the stack moot if the underlying hardware or firmware is vulnerable. Significant value lies below, if the adversaries have the patience and the intelligence to exploit it. As attackers move deeper into the compute stack, they are discovering significant benefits, including denying access to a machine permanently, surviving even a complete reimaging, and escalating into higher privilege levels. This has triggered serious discussions about hardware and firmware security.

The good news is that operating systems do continue to improve their compute security. For example, Windows 10 delivers tremendous new capabilities, offering much better protection for operating system secrets even if there is an admin or kernel level compromise, keeping secrets in a separate partition. Microsoft has also integrated regular updates to BIOS and other firmware via Windows Update to keep them current. However, vulnerable firmware could undermine these new capabilities, allowing attackers to work their way up the stack and into the entire physical platform, regardless of logical partitions, if system vendors are not careful. McAfee continues to partner with Microsoft and the PC ecosystem to address BIOS vulnerabilities, but many persist on deployed platforms if systems go unpatched.

With these new threats, we need to expand our view of what needs to be secured beyond the operating systems and applications. Customers need tools with visibility into the lower levels of the platform so they can detect and correct systems before becoming compromised. For example, endpoint detection and response (EDR) tools could leverage capabilities such as McAfee low-level CHIPSEC analysis toolkit, to find machines that are vulnerable and take faster, more effective action against attacks in progress. CHIPSEC could scan for BIOS that isn’t write protected, System Management Mode RAM that is unlocked, and Secure Boot Keys with insufficient access control. Feeding this information to EDR solutions could provide incident response teams a clearer picture of low-level system vulnerabilities, along with immediate response options if or when any of those vulnerabilities are detected in the future. Potential reactions include killing a malicious process or quarantining a vulnerable machine until it can be updated. Customers can personalize their own solutions, leveraging McAfee’s customer-ready Software Development Kit (SDK), to add their own customized collectors, reactions, and workflows, using native OS commands and familiar languages such as Python, to hunt for and remediate vulnerabilities in their ecosystems.

The good news is that attackers are not the only ones who can take advantage of hardware and firmware. Hardware and firmware also give us new capabilities that are not possible with software alone. For example, McAfee has added support for Software Guard Extensions to DXL 2.0 to protect the signing of keys, so that we have a high level of confidence that DXL data was sent by the machine we thought it was. This mitigates attack vectors that spoof or simulate DXL messages, increasing the integrity of the exchange layer. Protecting hardware and firmware, detecting low-level attacks, and correcting incidents before they become compromises are examples of how McAfee is empowering responders with the adaptive capabilities they need to address the threats of tomorrow.

Sophisticated organizations defend themselves against cyber attacks with tools, products, services, and perhaps most importantly highly capable security professionals. But it is becoming very difficult to attract and retain good talent. The pool of qualified available resources has run dry and it is now up to the academic institutions to replenish the workforce population. It …

Sophisticated organizations defend themselves against cyber attacks with tools, products, services, and perhaps most importantly highly capable security professionals. But it is becoming very difficult to attract and retain good talent. The pool of qualified available resources has run dry and it is now up to the academic institutions to replenish the workforce population. It won’t be easy, but higher education must save cybersecurity!

The demand for security professionals is at an all-time high, but the labor pool is largely barren of qualified candidates. Various data sources paint a similar picture with estimates hovering around ~70% of security organizations are understaffed, ~40% of junior-level jobs are vacant and senior-level roles are unfilled ~50% of the time. A lack of security talent, especially in leadership roles, is a severe impediment to organizations in desperate need of staffing in-house teams.

Hiring a quality cybersecurity professional is not as easy as you might think. Universities are trying urgently to fill the gaps but are having difficulty in delivering the needed knowledgeable and experienced personnel. Some experts have described cybersecurity as a “zero-unemployment” field. In fact, the gap is widening, with 2020 predictions expecting the shortfall to reach 1.5 million workers. Adding to the challenge, with demand high and supply low, security technology salaries are going up fast and are far outpacing their IT counterparts. Specialty positions show strong double digit growth in salary over last year’s figures. Leadership roles are in great demand as well, with compensation rising to match. Relief of this situation will only come about by balancing the supply side of the equation.

Barriers to resolution

Higher education institutions and governing bodies are working feverishly to fill the tremendous demand with significant numbers of new security graduates, but serious barriers stand in the way. Academic structures are not well aligned to the needs of the industry, there is a lack of consistent degree and curriculum standards, and educating students with relevant content, in a rapidly changing field, is proving difficult with traditional practices.

Positions within the industry are constantly evolving, with new roles and responsibilities emerging at a rapid pace. The titles are changing as are the expectations for education and experience. A recent inventory of federal job responsibilities showed more than 100 occupation-series which include a significant amount of cybersecurity work, representing ~1.6 million employees or roughly 4% of the workforce. Adding to the mix are new industry jobs emerging around privacy, big data, internet-of-things, policy, customer protection, product design, testing, audit, investigation, and legal aspects of security. Education institutions are having a difficult time in aligning the skillsets of graduates with the shifting landscape of what employers truly need at any given moment.

Consistency across different higher education institutions is a separate problem which must be addressed. A nationally recognized degree in cybersecurity does not exist. Instead, most programs are customized and can have a vastly different emphasis and graduation requirements depending upon the host university. There is not even a consensus on which departments such programs should reside. A 2014 Ponemon report showed a variety of academic departments where cybersecurity is situated, ranging from engineering, computer science, library, military, business, and legal studies. The result are clusters of graduates entering the workforce possessing vastly different sets of educational knowledge and security skills. This is problematic for both potential employers trying to fill a position and prospective applicants desiring to show competitive aptitude.

Teaching cybersecurity is difficult in of itself. The technology, threats, and attack methods rapidly shift. It seems every eight to twelve months, the industry swings to an entirely new focus. A fellow security professional stated “if they are learning from a book, it is already outdated”. Traditional rote teaching styles are insufficient to train professionals as they rely heavily on static material. More dynamic sources of information, and processes to integrate them into the classroom, are needed. Cybersecuirty instruction must be agile and stay very close to the pulse of what is happening in the real world.

Expectations are not being realized by both recent hires into the field as well as companies who are investing in college graduates. Students told me it was the last six months of schooling which was most relevant. Before that, most describe the knowledge as an interesting history lesson, but not very practical. Learning the fundaments are always required to understand the landscape and establish base skills, but the real value is in the pragmatic application of knowledge to supporting risk mitigation. I have seen frustration with many companies who have hired graduates, only to discover they are not prepared for day-one. They are glad to have them as part of the team, but the organization must start near square-one to teach them the current challenges and methods to be successful. Simply put, both sides expect more.

With the vast differences in programs, teaching backgrounds, and content interpretation, sometimes even the basics are overlooked. Many graduates don’t understand the practical distinction between obstacles versus opposition. I have found that most, with the exception of those with a statistical background, don’t adequately grasp the relational difference between vulnerability andrisk-of-loss. Most concerning is how many students have a very narrow viewpoint and overlook how cybersecurity is both a technology and behavioral based discipline. Far too many technical graduates see security as solely an engineering problem, where the right hardware, software, or configuration will achieve the goal and forever solve the puzzle. This is just not realistic. Cybersecurity weaves both technology and human elements together in a symbiotic way. Only addressing one aspect may improve the situation, but will ultimately fail as an isolated stratagem. These are fundamental constructs every security professional should be fluent in before entering the labor force.

The solution is apparent

The solution will arrive in three parts. First, partnerships between higher education and the industry will need to attract more talent into cyber sciences, including women and underrepresented minorities. The current numbers of students are just not enough to satisfy demand and expanding diversity adds fresh perspectives to creatively tackle difficult problems.

Second, students must be trained with relevant aspects and materials that take into account the highly dynamic subject-matter and environment. Optimally, this should extend to post-graduates as part of continual learning programs. The professionals of today also have a role to play. They must contribute to the growth and security of tomorrow by advising and mentoring students, assisting educators, and contributing to the development of curriculums. In a recent presentation to educators and academia administrators at the NSF Cybersecurity Summit, I recommended both an expansion of traditional topics and engaging industry practitioners to help provide timely insights and discussions for students. Teamwork across academia and the private sector is mutually beneficial and will help raise the effectiveness of graduates as they enter the workforce.

Third, the curriculums must be designed to align to the security roles in the market. An adequate level of consistency across teaching institutions, attesting to a completion of applicable studies is required. In short, a recognized degree program for cyber sciences must be established.

Progress toward the goal

The shortfall in talent is no surprise as the industry has seen this coming for some time and a number of groups have been working diligently to change the academic system which supports cybersecurity professionals. The US National Initiative for Cybersecurity Education (NICE) is a strategic organization tying together education, government and the private sectors to address cybersecurity education and workforce development. The Association for Computing Machinery (ACM) is an international society for computing working to develop uniformed knowledge content for cybersecurity roles.

Working independently, many higher education institutions are taking the initiative to bring in experts to help teach and advise students to deliver more relevant education and better prepare them for the jobs they will be seeking. They are reaching out to industry professionals to help staff and students stay current on latest trends, research, and best-practices.

The Cyber Education Project (CEP) Industry Advisory Board is leading a national academic accreditation program effort to formally establish a Cyber Science degree and necessary certification criteria. Institutionally, we should see a formal Cyber Science degree be approved in 2016 to establish consistent guidelines for graduates across the landscape of higher education.

In the meantime however, businesses must adapt to the challenging employment environment. Hiring of technical and leadership cybersecurity staff will continue to be difficult for the foreseeable future. Human Resource (HR) departments can play a crucial role in planning and addressing problems. In a presentation to a Chief Human Resources organization last year, I outlined a number of different areas where HR can facilitate practices to both hold on to good talent already in place and plan accordingly to hire qualified candidates.

HR team must staying on top of competitive salary reviews for current security professionals to insure compensation is at the right level to retain talent in the face of headhunters who are currently circling like sharks, hungry for any opportunity to harvest security professionals. HR representatives should also be prepared to have candid discussions with managers asking to hire new security staff, as the market price may be misaligned to budgets, compensation disparity could be disruptive to current staffing expectations, and it may take an unusually long time to successfully fill a role. In some cases, outsourcing may be the best option which should be up for consideration.

Must save cybersecurity

The industry is in trouble as a huge deficit of available professionals continues to grow. Without well trained personnel, most organizations cannot establish or maintain a sufficient cybersecurity posture. Academia is the gateway to prepare the next generation of professionals and universities are working purposefully to fill the gaps but are having difficulty in delivering the needed knowledgeable and experienced personnel. Progress is slow, but inroads are being made by the best of academia. Cybersecurity may be fought with technology, but it is people who triumph. We must invest in the future generations of professionals who will carry-on the fight. Higher education must save cybersecurity.

]]>https://securingtomorrow.mcafee.com/executive-perspectives/higher-education-must-save-cybersecurity/feed/0The New and Next at McAfeehttps://securingtomorrow.mcafee.com/executive-perspectives/new-next-mcafee/
https://securingtomorrow.mcafee.com/executive-perspectives/new-next-mcafee/#respondWed, 21 Oct 2015 22:47:02 +0000https://blogs.mcafee.com/?p=45781

At McAfee we’re re-defining how we envision security, beginning with a new, strategic focus on the threat defense lifecycle. That’s why in the coming days, weeks, and months you’ll see and hear us make a number of moves that layout our thinking around the next chapter in security, and further define the unique ways in …

At McAfee we’re re-defining how we envision security, beginning with a new, strategic focus on the threat defense lifecycle. That’s why in the coming days, weeks, and months you’ll see and hear us make a number of moves that layout our thinking around the next chapter in security, and further define the unique ways in which we protect the computing experience. Our goal is to help enterprises address more threats faster, with fewer people, and to help everyone better protect their data, systems, and personal information. With an unwavering focus on outcomes, we are making changes in our portfolio, in our investment strategy, and in our technology roadmap.

Our strategic vision is new, but our core focus of innovating and delivering solutions to protect digital platforms, and to detect and correct attacks on systems and data, remains job one. Our leadership team and I have partnered over the past year to put in place a long-term plan to transform our business.

Starting next Tuesday, October 27, at FOCUS15 in Las Vegas, McAfee begins to unveil the results of our strategic decisions and investments. You can expect some important product announcements during my main stage keynote, with follow-on demonstrations of our technology in action, both today and tomorrow, by Brian Dye, our head of corporate products, and Steve Grobman, our CTO.

I’m proud of the news and announcements you’ll notice as a result of our new strategic vision. From the smallest of changes to the biggest of ideas, everything we’re doing begins and ends with the needs of our customers and partners. McAfee’s singular focus is on creating technologies for the next horizon in security.

If you want to track headlines as they happen, bookmark our newsroom and check back often.

It’s 11:00 p.m. Do you know where your data is? Most reports on data theft events concentrate on how the bad guys got into the organization, what failed to stop them, and what information was taken. I often think about how the information was taken out, or exfiltrated, and who the likely culprits were. McAfee …

Most reports on data theft events concentrate on how the bad guys got into the organization, what failed to stop them, and what information was taken. I often think about how the information was taken out, or exfiltrated, and who the likely culprits were.

McAfee recently published a research study that addresses these questions. The most likely thieves are organized crime, hacktivists, and nation states, although insiders are accomplices in about 40% of the thefts, according to the study. When insiders were involved, including employees, contractors, and third-party suppliers, half of the breaches were intentional and the other half accidental.

We asked security professionals at midsize and large companies about their concerns and challenges around data theft. The top two were increasing sophistication of attackers and prevalence of malicious external threats.

On average, the professionals we surveyed have experienced six security breaches that resulted in data exfiltration over their careers, and four of those incidents were serious enough to negatively impact their companies’ financials or require public disclosure. Only half of the breaches were discovered by internal security teams. The other half were found by various external entities such as white hat hackers, law enforcement agencies, and credit card companies.

The Perpetrators: External vs Internal Actors

Figure 1. Actors involved in data breaches

Data thieves are interested in every piece of personal information that your company collects about customers and employees, from names and addresses to account credentials and health information. More than 60% of data theft incidents reported by survey participants involved personally identifiable information, with other valuable financial and payment information (25%) and intellectual property (14%) making up the rest. Structured data, stolen from databases, is the most likely theft when measured by quantity. However, when asked what proportion of incidents involved different data formats, participants said Microsoft Office documents were the most commonly stolen format, followed by CSV files and PDFs.

Open Season On Customer Data

How the data is getting taken out is perhaps one of the most interesting survey findings. Physical media was involved in half of the reported thefts by insiders — especially laptops and USB drives — and in 40% of the thefts by attackers from outside. When thieves leveraged networks to steal data, file and tunneling protocols were the top transport mechanism (25%), followed by Web protocols (24%), and email (14%).

However, increasingly sophisticated attackers are using a wide range of protocols and techniques to get data out, including peer-to-peer, secure shell, instant messaging, voice over IP, and hiding the data within images or video. They are also disguising the data to sneak it through defenses, using encryption, compression, and other obfuscation techniques and making it increasingly challenging to catch data theft with just perimeter and endpoint security.

For a detailed explanation of attacker motivations, typical data targets, and exfiltration methods, read “Data Exfiltration: An Important Step in the Cyber Thief’s Journey” in the just-published McAfee Labs Threats Report: August 2015.

Understanding the valuable targets, motivations, and techniques of cyber thieves is important to detecting data exfiltration and preventing data loss. Some important steps that will help you counter data theft include:

Build a data inventory to help prioritize defenses.

Identify normal data flows for sensitive data. Abnormal data movement is often the first sign of a compromise.

Please restart your car in safe mode Your car may not get a “Check Security” light in the future, but it might get an “Update Software” light. In addition to Drive, Reverse, and Park, it may also get a Safe mode with diminished but sufficient functions to get home or to a safe stop in …

Your car may not get a “Check Security” light in the future, but it might get an “Update Software” light. In addition to Drive, Reverse, and Park, it may also get a Safe mode with diminished but sufficient functions to get home or to a safe stop in the event of an automotive security incident.

As automotive systems use more and more electronic control units and greater information sharing inside and outside of the vehicle, computer security and data privacy join safety and reliability as important aspects of vehicle design, production, and operations. McAfee is part of a large ecosystem of manufacturers, suppliers, standards bodies, universities, and government organizations collaborating to advance the research and best practices on secure driving experiences. Consumer trust and confidence in the security of their vehicle will become as important as reliability and safety were when they emerged as critical consumer issues and competitive differentiators.

“Unsafe at any bandwidth” is not a title that anyone wants to see published. Vehicle designers, product engineers, and suppliers are all working to design in security that can detect, protect, and mitigate current and emerging threats. While networking in-vehicle systems and connecting cars to the Internet increases the threat level, distributed security architectures and layers of defenses that are intentional and proactive will help secure them from chip to cloud. These layers include:

Network security, such as firewalls, message authentication, and behavior enforcement that protects messages and personal information while it is in transit inside the vehicle, between vehicles, or to external services.

Cloud security, such as secure authenticated channels, remote monitoring, threat intelligence, and over-the-air updates that provide real-time connections to additional security services that help detect and correct threats before they get to the car.

Supply chain security, such as authorized distribution channels, component track and trace, and supply continuity that detect and protect the supply chain from compromise and from infiltration of tainted or counterfeit parts.

These tools and technologies can be designed in to the vehicle, but it also has to be protected once it has left the dealership, a lifecycle that can extend for 15 years or more. Increases in computing performance, storage capacity, and development of new attack methodologies could make currently impossible attacks possible. Securing cars over their lifetime means introducing techniques like firmware and software patches, over-the-air updates, and other countermeasures to quickly close vulnerabilities and reduce the cost of recalls. It also means developing incident response plans that encompass all of the stakeholders, including drivers, owners, manufacturers, suppliers, aftermarket parts, dealers and service operations, emergency or transportation agencies, and security vendors.

There are many open questions in this area, and we are just scratching the surface of the security and privacy issues facing the next generation of vehicles. However, we believe that collaboration on research, development, and operations makes the goal of trusted vehicles and confident driving experiences achievable. To learn more about Automotive Security, read our white paper: www.mcafee.com/autosecuritywp

Malicious attacks with firmware privileges can compromise an entire system, so it is especially important to apply measures to reduce the risks. Breaking hypervisor isolation and attacking — or exploiting — neighbouring virtual machines is a prominent goal of cyber criminals. At the Black Hat USA 2015 and DEF CON 23 conferences, a group of …

Malicious attacks with firmware privileges can compromise an entire system, so it is especially important to apply measures to reduce the risks.

Breaking hypervisor isolation and attacking — or exploiting — neighbouring virtual machines is a prominent goal of cyber criminals. At the Black Hat USA 2015 and DEF CON 23 conferences, a group of McAfee researchers from the Advanced Threat Research team demonstrated that some hypervisors are vulnerable to attacks through system firmware launched from administrative guests. These attacks led to successful installation of a rootkit in the system firmware (such as BIOS), privilege escalation to the hypervisor privileges, and exposure of hypervisor memory contents.

Hypervisors employ a range of techniques to isolate software and I/O devices, block escapes from any compromised virtual machine to any other virtual machine, and protect each virtual machine’s secrets from the others, including their operating systems. However, these protections fall short when the physical machine system firmware is infected with a rootkit or when a compromised virtual machine is able to exploit vulnerabilities in the firmware.

In this case, the firmware rootkit was installed by reflashing the system firmware while it wasn’t adequately protected in non-volatile flash memory. Physical access controls should prevent this in some cases. However, the research also demonstrated that the rootkit could be installed from within privileged guests on the machines with inadequately write protected firmware. Our research demonstrated that a rootkit can open a backdoor for an attacker to access the memory contents of all other virtual machines by adding entries to the hardware-assisted page tables and mapping all of DRAM to the attacker’s guest address space. The attacker can then access the active memory of all the other virtual machines on this host and harvest data at will.

Solutions And Exploits

The obvious solution is to increase protection on firmware in flash memory. However, our research also demonstrated that an attacker can exploit other vulnerabilities if the hypervisor allows direct access to the firmware interfaces. For example, we comprised the hypervisor using the resume boot script table in memory that runs when a machine resumes from a sleep state (S3). From a privileged guest, this critical script table structure was changed to access the hypervisor memory spaces. We have published a whitepaper covering the technical details of this S3 resume boot script vulnerability, which has also been independently discovered and discussed by other researchers. In another example, we passed a bad input pointer to the run-time firmware executing in system management mode (SMM) to exploit a vulnerability and inject malicious instructions into this protected area.

In both examples, the attacker first had to exploit some vulnerability in the system firmware of the physical machine such as the SMI handler or BIOS, and then run malicious code with firmware privileges to attack the hypervisor. However, each interface to the firmware that is directly accessible to a virtual machine provides an additional attack vector. Hypervisors can minimize this risk and reduce their attack surface by removing unnecessary guest access to the firmware interfaces and memory locations. Hypervisors can also monitor and proxy interfaces that need to be exposed to the guests and, if possible, apply strict policies on the data passed through them.

Malicious attacks with firmware privileges can compromise the entire system, so it is especially important to apply measures to reduce the risk to applications, software services, and the operating system. You can test your system firmware with available tools such as the open source CHIPSECframework, which tests for many known vulnerabilities, including the attacks described here. To enable further security testing, we will shortly be releasing new functionality in the CHIPSEC framework to test how hypervisors emulate various hardware interfaces.

Traditional IT security solutions need modifications to successfully defend critical infrastructure on tomorrow’s cyber battlefields. There has recently been a great amount of discussion regarding critical infrastructure and its inherent security vulnerabilities. Critical infrastructure primarily comprises aging supervisory control and data acquisition (SCADA) and industrial control systems (ICS), which are far more pervasive than most …

There has recently been a great amount of discussion regarding critical infrastructure and its inherent security vulnerabilities. Critical infrastructure primarily comprises aging supervisory control and data acquisition (SCADA) and industrial control systems (ICS), which are far more pervasive than most people realize: The Department of Homeland Security has defined 16 separate critical infrastructure sectors, many of which include outdated cybersecurity protections.

Security Through Obscurity No Longer Works

The vast majority of critical infrastructure consists of aging industrial control systems that were designed to operate on isolated, “air-gapped” networks. If considered at all during protocol development and network design, security took a back seat to more pressing considerations such as low latency and uptime. Multisite connectivity typically occurs via secure WAN links on private telecom networks, and operators tend to emphasize physical security over cybersecurity. Today, however, the lack of attention given to network security during early development is becoming problematic as critical infrastructure is increasingly being connected in some fashion to the Internet, giving hackers a potential access point.

Many of these SCADA and ICS systems run proprietary code on legacy operating systems that have been refined over the decades. In fact, most programmable logic controllers, protocol converters, and data-acquisition servers within these systems lack even basic authentication, making them highly vulnerable to hacking. Today, many operators believe the legacy nature of their systems confers protection, which simply isn’t true. If an asset has potential value, there are cybercriminals and nation states with the means and motives to target it.

New Thinking For The Next Generation Of Critical Infrastructure

Complicating matters further, the administrators and operations personnel tasked with supporting critical infrastructure frequently have different priorities. Operational technology (OT) teams that maintain SCADA networks focus primarily on high resiliency and availability to keep production online at any cost, while information technology (IT) teams that manage corporate networks are more concerned with connectivity, security, and compliance. However, both teams understand today’s security imperative, and within most organizations these teams are actively planning the next generation of security architectures.

As the threat landscape shifts over time, both IT and OT security infrastructure must be able to adapt to new security needs, policies, and threat-detection methods. Single-function security devices will soon be a thing of the past, as security architecture becomes increasingly versatile. Firewalls, intrusion prevention systems (IPS), VPN gateways, and routers all perform vital roles. To achieve the infrequent scheduled downtime requirements of OT environments, these software-based devices must be updatable on the fly while performing the security or networking tasks at hand. And to minimize unscheduled downtime, they must be highly reliable or support active-active clustering with transparent failover options.

In addition to support for OT protocols, it’s clear that traditional IT security solutions will need some modifications to successfully defend critical infrastructure on tomorrow’s cyber battlefields. Here’s a list of some potential features and requirements to get started:

Ensure High Performance, Resiliency, And AvailabilityAs the name implies, critical infrastructure must operate nonstop without performance degradation — even when performing processing-intensive, deep-packet inspection and real-time emulation. In many cases, there’s no such thing as “scheduled downtime.” Therefore, clustering, load balancing, and automatic failover must be standard features of security solutions within critical infrastructure.

Make Endpoints More Intelligent And SecureThe devastating effects of rogue data-scraping apps on point-of-sale systems were made abundantly clear in the aftermath of recent high profile data breaches. Prior to that, Stuxnet opened our eyes to what can happen when industrial programmable logic controllers are compromised within uranium-enrichment facilities.New and existing endpoints must become sentry points capable of validating the use of trusted applications andobserving all connections made by executables. They must share insights with firewalls, IPS, and other security devices across the network and be able to enforce application whitelisting and blacklisting, as well as terminate operation if they become compromised.

Protect And Connect Multiple Security ZonesSecurity architecture must provide advanced protection from both known and unknown threats within each security zone and be able to securely link traffic between security zones, including distributed facilities. This is another area where traditional security devices have come up short. Creating security devices that can be deployed in multiple roles — as stateful firewalls with VPN termination, IPsec VPN gateways for multisite connectivity, or next-generation firewalls with IPS and application control, for example — enables much tighter security throughout the organization. Moreover, the ability to manage the system with a common security console and share security data in a bidirectional manner — regardless of protocol or connection type — gives critical infrastructure architects and operators new levels of flexibility and management simplicity.

Monitor And Manage The Entire SystemIt’s impossible to overstate the importance of integrated monitoring and management. Threats can pass between IT, SCADA, and ICS zones, so it’s essential to have end-to-end visibility of critical infrastructure and be able to correlate information across systems to identify and mitigate threats. Placing intelligence on all endpoints allows these devices to share security data and be managed as part of an overall architecture. A global management console not only allows remote provisioning, management, and updating of software on all critical infrastructure devices, it enables application whitelisting and other security policies to be pushed to devices. Tight integration between the global management console and security information and event monitoring (SIEM) solution will accelerate accurate situational awareness and reduce management time and expense. And last but not least, critical infrastructure solutions must simplify the task of compliance reporting and auditing. Integrated monitoring and management makes this possible.

Is our industry currently providing the security technologies, flexibility, and agility to empower critical infrastructure? In many cases I believe the answer is yes, which is good news, given that many of these solutions are also required to secure the Internet of Things and the future of IT overall.

Learning more about your attackers helps to improve your security profile and reduce the possibility of a breach. Sophisticated criminals using advanced techniques are behind most of the recent security breaches, targeting small network openings and user weaknesses left vulnerable by even the latest shiny new technology. The painful reality is that security operations are …

Learning more about your attackers helps to improve your security profile and reduce the possibility of a breach.

Sophisticated criminals using advanced techniques are behind most of the recent security breaches, targeting small network openings and user weaknesses left vulnerable by even the latest shiny new technology. The painful reality is that security operations are struggling with the ever increasing number of threats and attack vectors, while trying to navigate the confusing landscape of security offerings. To add insult to injury, as operations is endeavoring to get its collection of security systems working together and defending every possible security gap, data thieves only have to find a single exploitable opening.

Our research report, A Thief’s Perspective, looks at the five attack methods that made up the majority of the almost 55 million attacks in Q1 2015. From browser blunders to denial of service, learning more about your attackers helps to improve your security profile and reduce the possibility of a breach. A related report surveyed security professionals on the security readiness of critical infrastructure; these professionals reported a high degree of confidence in their cyber defenses, even in the face of increasing threats. They also felt that increased cooperation between organizations, security vendors, and government agencies was critical to a successful cyber defense.

Interrupted Internet

Interrupting or denying access to Internet services remains the number one attack method, representing over 40% of all attacks. That is partially because this abuse of network resources is the easiest method, requiring only a few dollars in Bitcoin transactions to rent time on a distributed denial of service (DDoS) tool and flood a website with malicious traffic. Sometimes that is the whole attack, sometimes it is a deception tool to distract your security team while the real attack slips in unnoticed. Defenses against DDoS attacks have greatly improved, but they still rely on a solid understanding of normal volumes and patterns in order to quickly identify the beginnings of a DDoS flood, deep-packet and SSL inspection to understand the nature of the abusive packets, and powerful filtering to keep them away from your Internet resources.

When they want to actually get inside, thieves are still focused on users as the weakest point in your defenses. Whether it is from phishing emails, social engineering, or compromised websites, we have seen an 87% growth in suspect URLs in the last year, and browser-based attacks now make up over 35% of all attacks. Thieves are often focused on a specific department or a few key individuals, and will persistently target them until they get that one click they need. Not only is the number of malicious URLs growing rapidly, but thieves are also hiding their malware in feature-rich content such as Adobe Flash and JavaScript, making it harder to catch with static filters. Users need the added protection of intelligent content filtering that can emulate the browser functions to determine the true intent of any inbound scripting or multimedia file and dynamically adapt to user and attacker behavior.

Stealth Attacks

While the vast majority of attacks are knocking on the front door or trying to trick users with increasingly sophisticated Web lures, others are trying to sneak in by stealth, evade your defenses, or slip through in an encrypted stream. One of the big advantages attackers have is that they can analyze every aspect of your defenses, test various products, and try repeated approaches to figure out what might get through. They break malware up into small pieces for later reassembly, try to stay dormant during sandbox inspections, and randomize their callback addresses to get back-out. Finding these devious attacks requires collaboration from all of your defenses to correlate anomalous events and identify the malicious activities from the noise.

We believe that your information and systems can be protected, attacks can be detected, and breaches quickly corrected if we all act in concert. Information silos and shiny new toys will not reduce the number of threat vectors, but real-time information sharing and coordination between security defenses will significantly increase detection rates and reduce the time to contain and correct the situation if any manage to slip through. We need to change the way we think about security if we want a better prognosis about the realities of today’s threat landscape.

A quiet, professional cyberespionage group steals what every company wants to keep secret: valuable information that drives business. Welcome to the new normal. Corporate cyberespionage made the front page yesterday with the news of Morpho, also known as Wild Neutron. Regardless of what you call it, these revelations were the latest reminder of the growing …

A quiet, professional cyberespionage group steals what every company wants to keep secret: valuable information that drives business. Welcome to the new normal.

Corporate cyberespionage made the front page yesterday with the news of Morpho, also known as Wild Neutron. Regardless of what you call it, these revelations were the latest reminder of the growing prominence of corporate espionage on the cyber landscape. The group targets major IT, pharmaceutical, legal and commodity companies spanning the globe, with concentrated efforts in the United States, Europe and Canada. They are highly organized, and hone in on victims to gather confidential information for future monetization.

The quick and dirty on how Morpho operates: the group’s modus operandi is a combination of watering hole attacks, zero-day exploits and multi-platform malware. They compromise websites pertinent to the target, exploit them and deliver either a Java-based zero-day exploit or a potential Internet Explorer zero-day exploit. Bottom line: this is cyberespionage via zero-day.

What we can draw from this is that they either have the technical know-how to discover zero-days— which is unlikely for a small group, as Morpho is suspected to be — or, they have the resources to purchase zero-day exploits on the black market. Such a reliance on what we refer to as the Cybercrime-as-a-Service marketplace would reinforce our assertion that if you are well-resourced, the “services” are available to get into the cybercrime game.

Morpho used custom Remote Access Tools (RATs) to sniff for targeted information, or other computers to infect. This group also installed backdoors allowing infected machines to communicate with C&C servers over encrypted connections. The smartest thing this group did, however, was clean up after itself – once emails and confidential information was stolen, they securely deleted files and event logs. It was as if they had never broken in.

It’s because of this careful cleanup and precise execution of zero-days, that Morpho has successfully operated since 2011. But, Morpho’s success can be attributed to one thing above all: its single-minded and professional approach to compromising, extracting and leveraging business confidential information (BCI) and intellectual property (IP).

Each is valuable to hackers and can spell trouble for any business if they are lost to competitors.

Intellectual property, any work or invention originating from a creative source—from art, books, designs, images, logos, and company names, to source code, product designs, pharmaceutical formulas, to building blue prints — is as much an asset as financial resources, property, or physical product. Massive resources are allocated to developing complex products and unique concepts the loss of which constitutes billions to companies working to develop ideas that boldly impact the future.

Large industries, like pharmaceutical, chemical, and technology — the very industries targeted by Morpho — are popular targets because their IP is easily reproduced or monetized. But smaller, disruptive companies, developing new ideas, technologies, and products to challenge existing businesses and entire industries, are by no means immune to such cyber-attacks.

To what cost? That’s difficult to quantify for obvious reasons. If a factory burns down, a public company is obligated to reflect that loss in its financial statements. Cyberespionage crimes are as difficult to quantify in cost as they often are to detect. But the U.S. Department of Commerce has estimated IP theft of all kinds (not just cybercrime) as a $200 to $250 billion annual hit to U.S. companies. The Organization for Economic Development (OECD) estimates that counterfeiting and piracy costs companies as much as $638 billion a year. Such numbers have prompted McAfee Labs to conclude that cyberespionage breaches are the “Crimes of the Century”—they impact both society’s present and future economics and progress.

Business confidential information could include investment data, resource exploration data, and sensitive commercial data such as trade secrets, processes, contracts, and operational information — is almost always valuable and actionable, making it an attractive target.

Not too long ago, business confidential information was at the center of a sport-related cyberespionage involving two professional baseball teams: St. Louis Cardinals and Houston Astros. As we saw there and are seeing again with Morpho, information pertinent to business plans, contracts, and transactions is as valuable a commodity (if not more so) than intellectual property. By gaining access to confidential information, Morpho and similar cybercriminals gain insight into an organization, discovering information that can be leveraged to pre-empt critical business transactions, product announcements, and investment news.

The Morpho group has succeeded because they have laser-like precision in what they’re looking for and how they go about getting it. Regardless of intention, tactics used, or business model, the main point is that one key common denominator is driving this sort of cybercrime: the value of information that drives business.

And, as the world’s economies grow increasingly dependent on information as critical capital, cyberespionage is simply part of the global competitive landscape upon which businesses are competing today. The Morpho and Wild Neutron revelations suggest that any other assessment by executive suites—anything less than the business critical need to protect IP and BCI—is dangerously naïve.

Regulatory compliance is an unloved cost of goods—an expense to be managed, like cafeteria subsidies or fleet fuel costs. Major regulatory gaps are opening around the Internet and Internet of Things (IoT), and especially in the plumbing under the IoT, which is rapidly evolving in a process known as network function virtualization (NFV). This future …

Regulatory compliance is an unloved cost of goods—an expense to be managed, like cafeteria subsidies or fleet fuel costs.

Major regulatory gaps are opening around the Internet and Internet of Things (IoT), and especially in the plumbing under the IoT, which is rapidly evolving in a process known as network function virtualization (NFV).

This future is compromised by two opposing scenarios that regulators are trying to manage: an amazing future of security and safe IoT services that create higher standards of living and prosperity (based on firm root trust); versus an unknowingly vulnerable infrastructure prone to selfish and criminal manipulation but with entities legitimate and illicit at the same time (becoming the root of evil). We have discussed IoT regulatory gaps in a previous post about new threats to the IoT.

This series is about broadly driving better assurance in the IoT and streamlining compliance and regulatory reporting related to the next generation of Internet technology required to support the IoT, namely the NFV.

Technology proceeds regulation

The complexion of the Internet is both changing fast and now a widely discussed phenomenon, with billions of “Things” flooding onto the network in a stunning array of variety and diversity: houses, cars, pets, people, factories and rail lines, wells, elevators, pace makers, and on and on. At the same time and largely unseen, the plumbing of the Internet is changing—fast.

The plumbing of the Internet connects millions of interconnected routers and switches and miscellaneous elements such as DNS servers and security service. The plumbing is fundamentally changing. It is “virtualizing,” based now on software not hardware. Dedicated and specialized network equipment is being replaced by generalized processing platforms that can be dynamically assigned and reassigned tasks—such as routing, switching, DNS, or security. The benefit is significantly reduced costs and increased flexibility and capabilities.

The risk is that these software-based systems can be hacked. These complex, software-based infrastructures have larger attack surfaces and more potential vulnerabilities. As virtualized infrastructure pushes rapidly into the Internet and enterprises, regulations will struggle to keep current; but they will eventually catch up. But what sort of guidance can regulation offer to a virtualized network infrastructure?

We propose a cost-effective solution to address these types of regulatory requirements in the evolving virtualized software defined networks: We need a “root of trust” based in physical hardware.

Root of trust

A root of trust is essentially a security process that starts with an immutable (unchangeable) hardware identity ingrained into the computer’s processor. This identity is then leveraged to verify all the software running on the computing platform. For instance, a uniquely identifiable hardware processor (chip) starts, and its identity is validated. It is recognized and known by the system owner, and appears to be located in the expected logical and physical location.

In a virtualized infrastructure, a trusted processor may spawn succeeding layers of BIOS, hypervisor operating systems, and virtual environments. Each has its integrity validated at start-up. It is the expected version and no tampering has occurred.

Root of trust in a virtualized network.

Alternately, if an unknown or rogue processor attempts to validate itself, it would fail authentication and be detected; the network can be reconfigured (automatically or manually) to avoid the device. Similarly, if an unapproved software load attempts to start on an approved hardware platform, it can be both detected and refused resources at the hardware level—and will fail to start.

Through root of trust operations, it becomes possible to get a reasonable proof that a given piece of information was processed by a given verified system, with a processor that is itself verified and known to be in a given physical location.

Through root of trust processes, auditors and regulators can validate that information processing requirements related to matters such as personal or commercially sensitive data have been managed by verified systems on verified hardware, located in appropriate domains. In other words, the information was not handled by unknown or ambiguous (insecure) systems, in places with incompatible or inappropriate legal systems.

In the world of appliance-based networking root of trust did not have a place. These devices were typically single-purpose, single-sourced, proprietary, and hardened.

This situation is changing rapidly as the Internet is changing both on the surface and in the plumbing.

Watch for Part 2 of this blog for a discussion of the risks and opportunities associated with network virtualization, root of trust, and compliance in the emerging Internet of Things.

Root-of-trust security technologies are part of a wide variety of McAfee processors, and are also found in the McAfee software Cloud Integrity Technology (CIT).

Balanced security capability, defense in depth, integrated countermeasures, and a threat-intelligence strategy are critical to defending your business from spear-phishing attacks. Spear phishing continues to be the most successful means of gaining entry to an enterprise network and to valuable business or personal data. According to the latest Verizon Data Breach Investigations Report, two-thirds of …

Balanced security capability, defense in depth, integrated countermeasures, and a threat-intelligence strategy are critical to defending your business from spear-phishing attacks.

Spear phishing continues to be the most successful means of gaining entry to an enterprise network and to valuable business or personal data. According to the latest Verizon Data Breach Investigations Report, two-thirds of all cyber-espionage-style incidents used phishing as the vector. According to a recent study by the Ponemon Institute, the costs of such a breach continue to increase, whether it is legal costs, loss of reputation, customer defections, or other direct and indirect effects.

For the digital enterprise, loss of sensitive data means loss of customer trust and is a threat to future growth. Combating this problem requires an integrated prevent, detect, and respond capability comprising user readiness, anti-malware sensors at the network and endpoints, and well-rehearsed detection and response security operations processes. Combining this capability into an effective security architecture increases speed of response and improves cyber resilience.

Phishing is a difficult threat to defend against because it uses multiple vectors and can take advantage of a user’s work or personal life, or a combination of both, to increase the chance of success. Spear phishing targeted at a specific department or individual is even more difficult because the attackers often build a target profile, based on public and social media information, to gain inside knowledge of work relationships or job functions. This enables them to craft campaigns that appear authentic to the targets, increasing the likelihood of getting that critical click-through.

Increasing user training to identify phishing attempts, respond appropriately, and report them to security operations is the critical first line of defense and greatly reduces the chance of exploitation. Current statistics say we need to do much better in this area. It only takes about 80 seconds from the time a user clicks on the bait in a spear-phishing email until data exfiltration begins, according to Verizon’s Data Breach Investigations Report.

Shoring Up Cyber Defenses

Many enterprises rely solely on their endpoint security tools to catch these attacks. However, given the level of sophistication we are seeing — along with the human design of the attacks — an enterprise must no longer view endpoint security as a commodity but rather as an essential component in cyberdefense. Combating malware delivered through phishing requires additional endpoint sensor capabilities that identify, prevent, and analyze unknown behaviors.

For example, application whitelisting on end-user devices stops advanced and zero day attacks from infecting the system by preventing unauthorized code execution, protecting memory, and blocking attempts to exploit a whitelisted app before it gains a foothold and impacts the business. Application whitelisting is listed as a Quick Win in the SANS Critical Security Controls list and the Australian Government Top 4 Mitigating Controls cybersecurity guidance. According to Australian Signals Directorate Deputy Director Steve Day, attackers have not stolen any sensitive data from government networks because of their adoption of the Top 4 mitigating controls.

Since email and the Web are the most common delivery vectors for advanced malware, gateway sensors integrated with threat intelligence and malware analysis capabilities are important to amplify the protection gained by user readiness and improved endpoint security. This integration of sensors, analytics, and intelligence increases the speed of decision at the point of attack. Additionally, gateway sensor integration with other layers of defense increases effectiveness. For example, when a user reports a phishing attempt or their endpoint security identifies a malicious file, promptly exchanging intelligence on indicators of attack enables defenses at the Internet boundary to block future attacks from getting through, possibly to a user who would have not recognized them as attacks. This step helps prevent attacks targeting groups of users such as finance users with credentials for key databases.

Finally, if some malware gets delivered and manages to exploit one or more devices, Security Operations provides the critical detection and response capability. Once the infection is validated, whether from a user report, sandbox analysis, or shared intelligence, the prepared incident response plan is executed.

Having prepared response actions significantly reduces time to contain the attack. For example, one group would immediately search the gateway, email, and host logs to identify any other potentially affected systems. Another would analyze the file or link to expose the malicious behavior, exfiltration type, and targets. They would then determine if the existing controls are sufficient to contain the attack and prevent exfiltration, or whether additional actions such as system or network quarantines are necessary. Increasingly, these workflows are being predefined and automated through integrations between sensors, analytics, and SIEM (security information and event management). In a recent study, this real-time SIEM has been shown to shorten response to seconds or minutes, in pace with modern attack timeframes.

Executing the fundamentals consistently leads to an improved security posture. The SANS Institute’s Critical Security Controls and Quick Wins provide an excellent resource for security controls that provide real-world effectiveness. These tools focus on prioritizing what works and on processes that have demonstrated their effectiveness against the latest threats. Your security strategy should be reviewed to ensure effectiveness against targeted attacks such as spear phishing.

Balanced security capability, defense in depth, integrated countermeasures, and a threat-intelligence strategy are the critical steps necessary to defend your business from spear-phishing attacks. Implementing these recommended solutions can increase your capability to prevent more attacks early and detect and contain infections faster, making your business more resilient.

]]>https://securingtomorrow.mcafee.com/executive-perspectives/cyber-resilience-spear-phishing/feed/0An Effective Community Is More Than Just An Online Forumhttps://securingtomorrow.mcafee.com/executive-perspectives/effective-community-just-online-forum/
https://securingtomorrow.mcafee.com/executive-perspectives/effective-community-just-online-forum/#commentsFri, 19 Jun 2015 23:47:59 +0000https://blogs.mcafee.com/?p=44071

It is important to develop a strong base of contributors who can communicate effectively, answer questions, and summarize issues. Like many companies today, our success is dependent on the community of customers and partners that grows around our products and services. This community augments and extends our capabilities with complementary products, places to go to …

It is important to develop a strong base of contributors who can communicate effectively, answer questions, and summarize issues.

Like many companies today, our success is dependent on the community of customers and partners that grows around our products and services. This community augments and extends our capabilities with complementary products, places to go to learn more, and people that can answer questions.

It is admittedly challenging to effectively serve this type of community while balancing the needs and resources of a technology innovation company. The members easily outnumber our employees, let alone those able to respond to questions and suggestions. There is also a tendency to rely on numbers — such as how many members or how many page views — to quantify the value of the community. In our experience, this leads to misunderstanding the benefits and misallocating the resources necessary to build these relationships into an actual community, not just an online forum.

One of the biggest obstacles to community development is fear, which can lead to too much control and not enough openness to foster solid relationships. This fear could include a fear of open criticism of the company; fear of loss of brand image; or a fear of providing valuable intelligence to competitors. In our experience, and in the experience of many other companies, the benefits of more open communications within the community far outweigh any public criticism or other potential negatives. In our connected world, the conversations and criticisms are happening online, and it is far better to actively participate in them than to try to control them.

Encourage Participation

In most product communities, the majority of participants consume information, a smaller number contribute tutorials and reviews and answer questions, and an even smaller number are development partners. As a result, it is important to develop a strong base of contributors in the community who can communicate effectively, answer questions, and summarize issues.

Another tendency with corporate communities is not allocating enough time and resources, with the thinking that the community will grow and regulate itself. While this may be true in some cases, the contributors are often looking for a stronger relationship with the company, not a hands-off attitude. Depending on the individual, they might want to be part of a focus group, beta test, or Q&A session with technical personnel. Done well, these people become a positive influence within the community, shepherding others, and providing valuable feedback on what the community wants and needs.

Our online community has about 85,000 registered users, and about 5% of these actively post in the forums. With over 2 million page views a month, there are many non-registered users viewing posts and getting answers to their questions. In addition to questions, we get posts on cyberthreats, product issues, feature requests, usage tips, and many other subjects. Active participants are sometimes invited to participate in more focused activities or engagements with product management and senior executives at McAfee.

Over the last 18 months, we have increased the energy and scale of user outreach, introducing many new communication vehicles and resources. Customers can subscribe to a variety of topics, including product news, best practices, and educational information, and they can search the community archives and product KnowledgeBase.

As-a-service models offer huge opportunities, but also complicate security. Sometimes the easiest way to migrate to a new architectural modelis to let others do the work, others who are experts in their field. This has given rise to many as-a-service models throughout the industry and across the entire technology stack, from software to infrastructure. While …

Sometimes the easiest way to migrate to a new architectural modelis to let others do the work, others who are experts in their field. This has given rise to many as-a-service models throughout the industry and across the entire technology stack, from software to infrastructure. While this has unlocked huge opportunities to accelerate the deployment of new capabilities or increase economic efficiencies within an organization, it has complicated and even compromised security.

Let’s take a closer look at this trend and the implications. A private cloud is nothing more than the virtualized components of a traditional data center, making it easier to provision, operate, and manage resources more efficiently. Hybrid clouds leverage larger scale public cloud environments to drive further efficiencies. Containers take this a step further, delivering greater micro-segmentation and isolation capabilities with much faster boot times.

In this new reality, the traditional perimeter security model is insufficient. How do you define a perimeter in an environment where any device goes through many networks to many services, both inside and outside the business, or many containers are operating in a single machine?

Security in this any-to-any world must become more dynamic. This means creating an abstract of security functions, like a hypervisor does for operating functions. Security becomes a shared virtual service, applied to workloads and flows instead of machines and physical networks. Automated controls deploy security instances according to policy, reducing the cost and time of deploying new applications or services and taking advantage of the value proposition of virtualization and private/hybrid clouds. Hardware-level security functions help boost performance of the virtual environments while restricting opportunities for leaks. Like software, storage, and other parts of the stack before it, security becomes virtualized, with the same benefits and characteristics.

A Partnered Approach

This new approach to securing enterprise clouds is based on virtual isolation and micro-segmentation. By partnering with the leading virtualization companies, security vendors make sure that each workload deploys dynamically and automatically with virtual sensors that observe and report to the security manager, significantly increasing visibility and control over the virtual environment. Virtual perimeters surround each workload, separating them from each other and from the escalated privileges of the hypervisor. Security policies are linked to the workload, so if a virtual machine or container moves, suspends, or restarts, its policies stay with it. Workloads with different security levels are isolated whether they are on the same physical server or in different data centers, in a virtual machine or a container, reducing the risk of attacks based on privilege escalation or vulnerabilities in the hypervisor.

One key advantage to this cloud security model is that it applies between layers as well as between workloads. Whether data is flowing in and out of a data-center (north-south), from server to user, or within a data center (east-west) from server to server, it is protected and evaluated by the network gateway, data loss prevention, and other components as defined in your policies.

Consistent policies, protections, and enforcement across your virtual infrastructure are now a reality, as the agility, ubiquity, and efficiency of software-defined security joins the rest of the software-defined infrastructure. This is true cloud security.

This blog post was written by Penny Baldwin. The information age, the digital age, one thing’s for sure – the general marketing landscape has expanded and evolved beyond our wildest imaginations. But with the amount of innovative trends and methods entering the market, how do you narrow down the field and pinpoint the ones that …

The information age, the digital age, one thing’s for sure – the general marketing landscape has expanded and evolved beyond our wildest imaginations.

But with the amount of innovative trends and methods entering the market, how do you narrow down the field and pinpoint the ones that are right for your brand? In the B2B tech space in particular, this is inherently difficult to do.

While there’s no single strategy that is right for every brand, there are a few digital trends whose influence we can’t ignore, regardless if the market a brand calls home. Take a look at my top three trends and how your brand can utilize each of them:

‘Mobile-friendly’ has become ‘Mobile-first’

More than 64% of American adults own a smartphone, meaning mobile is no longer simply a consideration – it’s a focal point. Take a look around – how many people can you spot focused in on the screens of their mobile devices? Even in the office, my bet is you’re able to count a few.

With more and more content consumption happening on the go via mobile, brands need to design with a mobile-first mentality. Be it ad campaigns, site optimization or even basic web copy, mobile should be a lead driver behind those decisions.

A picture may be worth a thousand words, but a video is worth a thousand more.

With apps such as Periscope and Meerkat entering (and disrupting) the market, video is proving to dominate. But even the realm of video is changing, as we are now finding that silence is golden when it comes to moving images. So are you leveraging all of this to your brand’s advantage?

Here’s an idea to consider: the next time you have a product announcement, speaking engagement, or company event, live stream it. Tell people when to tune in, send them a link and watch engagement soar. It doesn’t matter if it’s the launch of a new car, a live sporting event, or a tech user conference – live, moving content will engage and capture online communities and create a sense of belonging.

No matter how digital, brands should be increasingly human.

Never undervalue the power of a conversation. In the digital world especially, people want to know what others are up to, and that applies to brands as well. Take it one step further, and it’s been found that people primarily buy from companies they trust and can relate to.

So, weave emotion and authenticity into your digital experience and start interacting with your audience(s) on social media! A lot of positive can come from a brand showing it cares and listens to its customers.

What digital trends are you capitalizing on this year? Tweet me @PennyRBaldwin to share your thoughts.

Organizations must adopt a new way of thinking about safeguarding sensitive data from theft and unauthorized exfiltration. The recent slew of high profile data breaches has prompted organizations to harden network perimeter defenses with the latest security technologies. In response, some cybercriminals are shifting their focus toward the human element, with phishing and social engineering …

Organizations must adopt a new way of thinking about safeguarding sensitive data from theft and unauthorized exfiltration.

The recent slew of high profile data breaches has prompted organizations to harden network perimeter defenses with the latest security technologies. In response, some cybercriminals are shifting their focus toward the human element, with phishing and social engineering scams that fool corporate users or contractors into giving up network access credentials. Others hackers are using more sophisticated methods to evade defenses such as advanced evasion techniques (AETs). Once inside, attackers often discover a lack of internal security controls. They can take their time to avoid detection while installing malware that exfiltrates data from internal file servers or devices such as point-of-sale terminals, ATM machines, critical infrastructure controllers, and healthcare endpoints. This exfiltration process can go on for weeks, months, and sometimes even years before discovery.

Data loss prevention (DLP) solutions do an excellent job of classifying, fingerprinting, and controlling access to “data at rest” on PCs, servers, and even removable storage devices. They also control how potentially sensitive “data in use” is handled at endpoints and discover and protect sensitive “data in motion” such as data sent through network traffic, email, and instant messaging. DLP is effective against both intentional and unintentional disclosure of confidential information. However, there are certain instances of data in motion where a next-generation firewall can also be effective in preventing data theft. As demonstrated in recent major retail breaches, attackers were able to bypass security controls by setting up their own communications back channels or encrypting exfiltrated data to bypass keyword filters. Because of their strategic locations at ingress and egress points throughout networks, NGFWs are able to work with endpoint management and DLP solutions to enhance existing protections and provide additional security in the battle against data breaches.

Getting More from Your Firewall

While cybercriminals keep changing their tactics, security best practices have not changed much over the years. Best practices still recommend deploying a standard set of processes and security tools, including firewalls, IPSs, and DLP solutions, with the same basic protection strategies. Firewalls are still positioned primarily for blocking intrusion attempts at the network perimeter or protecting data centers. However, when hackers circumvent perimeter defenses with phishing tactics and AETs, firewalls are rendered useless and other defenses must pick up the slack.

It’s time to challenge conventional thinking and get more from your firewall. Next-generation firewalls should serve a dual purpose — they should stop attackers from infiltrating the network and prevent attackers from exfiltrating sensitive data.

The most logical way to do this is to leverage the connection-blocking capabilities already built-in to most firewalls. Today’s next-generation firewalls have the logistical placement, performance capabilities, and application control features required to block unauthorized data streams from rogue applications before they leave the network. The challenge is that most firewalls are blind to these data exfiltration activities. Real-time, granular, actionable intelligence from endpoints is the critical information that firewalls need to enable application layer exfiltration protection. High level requirements for a more complete inbound and outbound protection solution are listed below:

Endpoint intelligence. Endpoint intelligence must work with firewalls and other security services across the network for risk correlation, analysis, and forensics.As a team, they should validate the use of trusted applications, inventory application processes, monitor communications activities, and scrutinize all outgoing connections made by executables. Applications must be associated with legitimate users, especially where BYOD or shared devices are a concern.

Minimal performance overhead and device footprint. Many endpoint devices have limited resources and storage capacities — especially in the case of retail POS systems, ATM kiosks, and medical devices. The endpoint implementation must be very lightweight, both in terms of size and processing requirements.

Whitelisting to allow only authorized activity. Firewalls and endpoints must both enforce the use of trusted applications, users, and associated connections with whitelisting technology, allowing legitimate, validated traffic to pass through to file servers, data storage, or trusted third parties such as merchant banks.

Blacklisting integration for corrective action. For real-time protection, firewalls and endpoints must also be capable of sending notifications when rogue application are discovered, blocking illegitimate traffic, and taking immediate corrective action. Compromised hosts must be quarantined and the identified malware and communications blacklisted to prevent data exfiltration.

Efficient management. A new approach must work within an existing centralized management schema to maximize management efficiency and minimize related expense.

Enhanced analytical capabilities will help organizations better understand how attacks will unfold, and how to stop them in their earliest stages. Prediction is as old as humankind, as we’ve search for clues to the future. Big data, computer models, and sophisticated algorithms have brought us much closer to accurately predicting things such as actuarial tables, …

Enhanced analytical capabilities will help organizations better understand how attacks will unfold, and how to stop them in their earliest stages.

Prediction is as old as humankind, as we’ve search for clues to the future. Big data, computer models, and sophisticated algorithms have brought us much closer to accurately predicting things such as actuarial tables, inventory levels, and financial behavior. These tools help with pricing, manufacturing, and application approvals. Advanced analytics can also help security analysts understand the probable path of an attack and enable faster actions to contain or even stop it before it becomes a serious threat.

Security officers already bear some responsibility to predict threats, which affects budget, purchase, and staffing decisions. They use available information on today’s threats to prepare for tomorrow’s, on a broad scale. But how do you predict and respond to a single serious attack amid all of the day-to-day noise in a way that is actionable and sustainable?

Effective prediction requires a large amount of data from a range of activities, including normal behavior, historical events, and third-party intelligence. The bad news is that the sheer volume of security data we are collecting is already overloading the ability of human analysts to interpret. The good news is that this is exactly what predictive analytics needs to crunch through and present in an actionable format.

To use a simple example, you have data from a historical attack that used several IP addresses and domains. Those addresses are already flagged as malicious, but you investigate and find that there are another 200 domains with the same owners. Adding those domains to the watch list gives you an early warning that, if any of them is being accessed from your network, you are probably seeing the beginnings of a new attack.

This example is admittedly simple, and there are significant barriers to overcome before predictive security analytics becomes commonplace. The ability to distinguish between suspicious and malicious, to determine if someone has a weapon and is not merely loitering outside, requires more context about the data. Where did this information come from? How old is it? Why was it marked malicious? A threat intelligence exchange model can provide this much-needed context, sharing threat information in real-time among partners, other companies in the industry, security vendors, and government agencies.

Incomplete Alerts

Even with context, the alerts from predictive analytics are still going to be incomplete. They are not going to deliver the same certainty as matching a malware signature or known bad IP address. What they will do is provide enough probable cause for protective actions to start earlier, before you have all the details of the attack.

Is the market ready for these tools? Not quite. Most customers I meet with are so busy with collecting data for compliance and regulatory use cases that predictive analytics are an aspirational goal. But these organizations are slowly building the foundation needed for prediction by increasing integration and automation of their security forces. These foundational abilities include real-time hunting, prioritization, and scoping of security incidents seen in their environments. Blocking decisions are being made automatically, based on policies and increasingly detailed profiles of normal and abnormal behavior. And we continue to work with our industry partners to respond to rapidly changing and evolving attack patterns with tools that are smart, integrated, and adaptive.

Enhanced analytical capabilities will help those on the front lines better understand how attacks will unfold, and stop these strikes in their earliest stages.

A strong defense against compromise involves three layers: hardening devices, securing communications, and monitoring behavior. If criminals breach data security and steal credit card numbers or personal information, your company suffers loss of reputation and potentially significant intangible costs. If they breach security of your cyber-physical control systems, you could be facing damage or destruction …

If criminals breach data security and steal credit card numbers or personal information, your company suffers loss of reputation and potentially significant intangible costs. If they breach security of your cyber-physical control systems, you could be facing damage or destruction of physical property and significant tangible costs.

Cyber-physical systems, where computers and the Internet meet the real world, cover a wide range of devices. Industrial automation, home control, smart grids, and medical devices are just a few examples. These machines make decisions and take actions based on inputs from physical readings. Cybersecurity for these systems is an extension of reliability, protecting them from faults or damage introduced by cyberattacks.

These attacks follow a similar attack-chain pattern to non-physical attacks, until the final stages. In the initial reconnaissance, they will research the types of equipment you use that could be compromised and then try to find a weakness in your defenses, whether it is digital, physical, or social. Building a weapon that can get through this weakness comes next, followed by attempted delivery. If delivery is successful, the weapon will exploit the security breach to download and install malware targeting the physical system or device.

Once the malware is installed, the attackers can command and control the compromised device, and this is where the game changes. With access to the device, they can observe your normal operations, query sensors, and run test probes to determine what effect they can have.

Nefarious Objectives

The objectives of a cyber-physical attack are usually not data exfiltration, at least not in the large amounts seen in other attacks. Instead, the attackers could be targeting corporate espionage, denial of control, disablement of alarms, manipulation of sensors or actions to adversely affect output, or physical damage. Overt control could be deferred for a long time while they watch, waiting for the right opportunity to execute or to coordinate with other actions.

A carefully researched and executed series of phishing emails gave attackers access to and control of the production systems in a German steel mill in 2014. Disabling various alarms and safety mechanisms, attackers instigated equipment failures that triggered an emergency shutdown of a blast furnace, causing a massive amount of damage.

In another attack in 2013, snipers shot at and damaged 17 electrical transformers in California, causing them to leak coolant, overheat, and shut down. Just before the attack, they cut the phone and data cables in an attempt to disable the alarms. While there was no cyber component to this attack, it provides an example of the potential of a coordinated cyber and physical attack on vulnerable physical systems.

Defending cyber-physical systems from attack and compromise involves three layers: hardening the devices, securing communications, and monitoring behavior. Older devices can be protected by hardened gateways with a tamper-resistant operating system and strong application execution controls, while new ones should have these functions designed in. Communications between all processes, devices, and systems, should be encrypted in virtual private network tunnels to keep them secure from unauthorized interception or modification. And monitoring of the system and all its components needs to be automated, based on clearly defined policies, to quickly distinguish between normal and suspicious behavior and to catch threats as early as possible.

Sharing intelligence on threats and attacks, with industry partners, government agencies, and security companies is another important step in moving up the attack chain. Given the importance of cyber-physical systems to our lives and communities, it is imperative that we secure them from attacks, and I am confident that we have the resolve and ability to do so.

Reverse proxies are critical to shield Web apps from external attacks. Many organizations today are concerned about how to safely provide customers, employees, and vendors access to their Web applications safely. They need to protect their internal assets against external malware attacks. Every day we read new horror stories in the press about hackers who …

Many organizations today are concerned about how to safely provide customers, employees, and vendors access to their Web applications safely. They need to protect their internal assets against external malware attacks. Every day we read new horror stories in the press about hackers who use phishing emails and drive-by malware downloads to steal money, identities, and sensitive internal documents.

Blocking this type of attack requires a combination of technologies. Email protection software is the key technology to help protects users against phishing emails, while a traditional Web gateway acts as a proxy to protect endpoint systems from malware, sites with poor reputations, and unauthorized exfiltration of protected content.

These tools generally protect against attacks launched against your end users. Conversely, if you need to provide a Web service to external users such as customers or business partners, how do you protect that system against attack?

To do that, you need a reverse proxy.

In a typical reverse proxy configuration, the proxy intercepts Web traffic that an external user is attempting to upload. At this point, complete malware scanning and even DLP rules can be applied to protect the company from both malicious files and incidental private user data being uploaded inadvertently. The proxy only allows clean data in, while blocking attacks, malware, and suspicious data.

In certain use cases, it may make sense to configure the Web server to use an application using the Internet Content Adaptation Protocol (ICAP) to redirect traffic to a separate malware scanning device for analysis. The ICAP scenario enables the Web server to treat the incoming content with greater flexibility.

Using this type of configuration improves overall security, while allowing those outside the firewall who require access to critical applications to get it. Productivity is enhanced, without jeopardizing security.

This blog post was written by Penny Baldwin. Marketers, take note: A killer digital marketing campaign is no longer about a banner ad campaign and a lukewarm social presence. If you’re not staying on top of user behavior and of-the-moment trends, you’re not going to win over your market share. The good news: there are …

Marketers, take note: A killer digital marketing campaign is no longer about a banner ad campaign and a lukewarm social presence. If you’re not staying on top of user behavior and of-the-moment trends, you’re not going to win over your market share. The good news: there are more members of the online community than ever, and that means there’s a magnitude of ways to tap into that community that were, until now, unimaginable.

This new digital landscape doesn’t have to be as daunting as it often appears. Sure, we’re going to read about companies serving up ads via smart refrigerators and connected cars, but the big marketing picture doesn’t have to be that specialized. Some of the trends that we’ve been seeing up until this point are actually pointing to a more tangible marketing experience, and can be adopted and integrated into day-to-day strategies.

So, what can we, as marketers, do to keep up with the digital transformation and stay on top of digital marketing trends?

Let’s let some numbers do the talking while we count down some of the top trends of digital marketing for 2015.

Five: Mobile Makes an Entrance

34% of those involved in B2B buying decisions in 2014 used their mobile devices across each stage of the purchase process. (Google)

Even if you’re not in the B2B space, it’s impossible to deny the emergence of mobile in the digital marketing mix. This year will be no different than 2014, and marketers thoughtfully integrating mobile strategies into their campaigns. At this point, it’s virtually unacceptable to have a site that isn’t optimized for the mobile experience. Content consumption is happening on the go, 24/7 – it’s our job as marketers to make the transition from desktop to mobile as seamless as possible. Even mobile advertising is getting in on the action, with the rise of companies like Millenial Media coming into play.

Four: Video on the Rise

70% of those researching B2B products and services now use video across the purchase path (Google)

First, content was king. Then it was visual content. Now, it seems that video is taking the throne. Video as a digital marketing tool is one of the top trends coming into play right now, and everyone is jumping on board. From product demos to brand awareness campaigns, marketers continue to turn to videos to help them tell their stories.

In 2015, we’re going to continue to see brands strengthen their Facebook and Twitter presences, while chasing after greener communities like Instagram, Pinterest and Vine. As marketers, we need to be where our audiences are, and according to the stats, they’re in more than one place.

While it’s encouraging to see so many brands make the shift to an online-first marketing strategy, it also means that there aren’t enough pieces of the pie to go around. Twitter says that one tweet may only be digested by 30% of your followers, leaving a whopping 70% virtually untouched. Those users are your leads, your customers, your advocates – and paying for social advertising helps to capture them. We’re going to continue to see paid online media grow as a digital marketing tactic throughout 2015.

With all of these trends, I think the biggest one we continue to see is how marketers are experimenting with their digital marketing mix. When looking at the buying cycle, there are more and more ways to target users at different points in the funnel, and brands certainly aren’t shying away from trying them all. From presence on multiple social networks, to PPC ad campaigns, to user-generated content and contests, we’re seeing it all.

We’re barely a quarter of the way through 2015, and already the year is proving to be an exciting time to be a part of such a dynamic marketing landscape. Hopefully we’ll continue to see innovation drive the engagement strategies of brands and marketers, and I’m looking forward to seeing what trends make it out of the year on top.

What are some of your favorite trends in digital marketing so far? Tweet me @PennyRBaldwin and let’s continue the conversation.

If you are unsure of whether a destination link is safe, tools like TrustedSource are a good place to start. A recently released McAfee report titled “Hacking into the Human Operating System” Investigates the role of social engineering within cybersecurity Dives into the lifecycle of a social engineering attack (Research, Hook, Play, Exit) Analyzes influencing psychological levers …

If you are unsure of whether a destination link is safe, tools like TrustedSource are a good place to start.

A recently released McAfee report titled “Hacking into the Human Operating System”

Investigates the role of social engineering within cybersecurity

Dives into the lifecycle of a social engineering attack (Research, Hook, Play, Exit)

Analyzes influencing psychological levers that yield the most success to engage the target for a successful attack execution.

If you’ve been following the news lately, the relentless string of major data breaches impacting millions of customers has affected every major business sector. What remains frightening is how a wave of phishing soars in the aftermath of any major breach, putting those that were impacted by the breach at possibly more risk, and putting those that were not impacted by the breach still in the crosshairs.

Social engineering almost always has a place in the success of these attacks; bringing to light the psychological levers these adversaries rely on to execute successful attacks can help disrupt these events from occurring. Of the six influencing psychological levers mentioned in “Hacking the Human Operating System,” scarcity is an influencing lever used as a mainstay of email phishing attacks, so I wanted to dive a bit deeper into this one.

Scarcity boils down to a limited window of time that’s available to act. It can stretch to both ends of the spectrum – act now to gain something, or act now or else lose something. By doing so, it appeals to targets who are motivated by the opportunity for gain, and conversely preys on targets fearing the risk of loss by inaction.

Examples of missed opportunity:

“I came across your profile and couldn’t help but get excited. We have a really great opportunity for you at our company.”

“For a limited time…”

Examples of fear of inaction:

“Failure to respond within 24 hours will result in restricted access to your account.”

“Click to upgrade your email by Friday for uninterrupted access.”

”To ensure your privacy, log in within the next 48 hours to validate your settings.”

“Your email account has exceeded its limit, and you may not be able to send or receive messages. Click here to upgrade your account.”

Particularly, when lures are information-rich and target-relevant, a victim’s impetus to act is extremely strong. Let’s take a look at an example of an attack that uses the scarcity of time to prey on the victim. I’ve numerically annotated sections of the email below to help facilitate the analysis.

At first glance, a few things look correct when looking into the details:

1. The email sender appears to be from “American Express.”

3. Hovering over the “Contact Us,” “Privacy Statement,” and “Add us to your address book” appears to lead to the legitimate American Express site. All domains here begin with https://americanexpress.com.

Upon closer look, there are clues that reveal otherwise:

While the email sender and sender address were fully displayed when I viewed the email on my desktop mail client, it wasn’t as obvious from my mobile device (see below). Upon further inspection, the sender email is fxC4480@amoricanexpress.com. The misspelling in the domain name, amoricanexpress instead of americanexpress, should trigger suspicion. It’s always worthwhile to take a closer look at the sender address.

Hover over any links before you click on them. On my iPhone, holding down the “please click log” call to action link reveals it leads to http://xx.xxx.xxx.xxx/americanexpress. (IP address has been obfuscated as it leads to a malicious site.) The fact that an IP address was used in lieu of a domain name might be reason to raise suspicion, especially given that the links in item 3 use the proper domain name (www.americanexpress.com). Further, the inconsistency in using both IPs and domains on the same page may also raise a red flag.

If you are unsure of whether a destination link is safe, tools likeTrustedSource are a good place to start. You can leverage this type of resource to help you check the reputation of a Web page simply by querying its IP address, domain name, or URL. Keep in mind ultra-low prevalence targeted attacks may originate from a new server that lacks reliable reputation information, so while TrustedSource.org is a good place to start, it may not catch all poor reputations.

In this particular case, rather than click on the link, which may land me on a malicious site, I can go to TrustedSource.org and enter the IP address hiding behind the “please click log.” The results reveal that this IP address carries a high risk and is likely not safe (see chart below).

And indeed, the link leads to a spoofed phishing site. At a glance, can you tell which is the legitimate site and which is a spoofed phishing site? (Answer will be revealed at the end.)

To learn more about the psychology and nature of social engineering attacks, a full copy of the research report “Hacking the Human Operating System” can be found here. You can also run an awareness program within your organization using the quiz to better understand your risk profile.

And by the way, the first of the two images above is from the spoofed site, and the second is from the legitimate site. How did you fare?

Successful social engineering attacks through IoT systems could lead to a perception of being surrounded by hostile devices, and greatly retard development; making the consequences of social engineering attacks in the IoT very significant. Social engineering attacks will certainly evolve into the Internet of Things (IoT), if they have not already. These attacks have the …

Successful social engineering attacks through IoT systems could lead to a perception of being surrounded by hostile devices, and greatly retard development; making the consequences of social engineering attacks in the IoT very significant.

Social engineering attacks will certainly evolve into the Internet of Things (IoT), if they have not already. These attacks have the potential to be lucrative for the threat agents in terms of fraud, identity theft, espionage and even property ransom.

My colleague Raj Samani recently published a paper where he defined social engineering as “The deliberate application of deceitful techniques designed to manipulate someone into divulging information or performing actions that may result in the release of that information.”

The IoT represents a whole new and fertile territory for social engineering attacks, which blend some of the most effective attacks from the contemporary Internet with attacks more commonly found in the industrial-control world. Namely, attacks which seek to combine attacks intended to capture information with intrinsic value (passwords, account details, access to vulnerable systems), with attacks that seek to trick users into executing complex sequences of commands on the basis of mis-information.

The current generation of Things on the Internet have dubious security. You will find plenty of reports of devices like baby monitors, TVs, medical devices, and even cars that have been hacked or are demonstrably vulnerable to hacks. At this point we have little reason to believe this situation will improve in the near term. The lack of standards, coherent regulations and the demand for cheaper, not more expensive, Things will ensure that opportunities for social engineering and hacking the IoT in general will not be in short supply.

Why is this different that social engineering today?

The consequences of social engineering attacks in the IoT could be worse than the same attacks in the “IT Internet” of today.

The perception goes from one of “living with weak devices”, to being “surrounded by hostile devices”! Devices that might at any time try and deceive you into doing something against your interests, like a malevolent robot from a science fiction movie. That would bad. It is one matter if your Things are being hacked and compromised behind your back, it is another matter if your Things are tricking you into hurting yourself, or others. As an potential outcome:

Social engineering attacks in the IoT will delay adoption of technologies that otherwise might present major social and business benefits.

Social engineering attacks in the IoT will undermine confidence in the safety – not just the security – of the IoT. Social engineering in the IoT is a potent form of force-multiplier because people ultimately have control of all Things: hack the person and you have access to it all.

Social engineering attacks in the IoT might raise the levels of regulation in a reflexive and ill-conceived manner, with outcomes as uncertain as leaving the IoT at its current, low state of security-maturity. (See my blog post about regulators in the IoT.)

Where do we begin to address social engineering in the IoT?

Like social engineering on the Internet today, there is no single remedy. Layers of security and technology will need to be applied. Existing products from many vendors will need to be enhanced, and new solutions will need to be developed.

But I propose there are at least two specific areas that need to be a focus: one is a “management control” and one is a “technical control”:

Management standards. I blogged about IoT security standards This work needs to continue quickly, and 2015 looks like a good year of progress, with both NIST and the Industrial Internet Consortium set to release reference designs including security for the IoT. We will have to see if these designs are sufficient to address the vulnerabilities to social engineering in the IoT.

Technical solutions around authentication and encryption that low-resource Things can support. The harder it is to send and display fraudulent messages via Things, the harder social engineering with Things will become. Things need lightly, faster, more efficient authentication and encryption technology that is typical today with symmetric and asymmetric crypto. I also blogged about this topic under the heading “Multi-party authentication in the IoT – part 1, part 2, part 3”

By Kent Landfield, Director of Standards and Technology Policy, McAfee, and Malcolm Harkins, Chief Security and Privacy Officer at McAfee When the Administration released the Framework for Improving Critical Infrastructure Cybersecurity (the Framework) on February 12, 2014, many of us at McAfee were familiar with the details, as we had participated extensively in the public …

By Kent Landfield, Director of Standards and Technology Policy, McAfee, and Malcolm Harkins, Chief Security and Privacy Officer at McAfee

When the Administration released the Framework for Improving Critical Infrastructure Cybersecurity (the Framework) on February 12, 2014, many of us at McAfee were familiar with the details, as we had participated extensively in the public – private collaborative process to develop the Framework. What we didn’t yet know, however, was how the Framework would stand up when put to the test: what kind of learnings it would yield, what kinds of benefits it would really have. We knew theoretically that the Framework should be a valuable tool for organizations of all sizes, but we wanted to try it out ourselves to see if those expert assumptions were valid in a real organization. We aimed high: The business unit we partnered with to develop the McAfee use case is sophisticated in terms of cybersecurity and manages a large range of products and services. We chose McAfee IT and targeted the Office and Enterprise areas of our compute infrastructure to conduct our pilot project.

We focused on developing a use case that would create a common language and encourage the use of the Framework as a process and risk management tool rather than a set of static requirements. That aim proved successful, and we recently documented our experience in a white paper. Even in these early stages, the Framework has already helped us harmonize our risk management technologies and language, improve our visibility into McAfee risk landscape, inform risk tolerance discussions across our company, and enhance our ability to set security priorities, develop budgets, and deploy security solutions.

One of the most valuable aspects of this pilot project is the discussions about security processes and terminology it has been generating. For example, a security policy might be written the same way across the corporation but implemented differently in groups such as manufacturing and human resources. Recognizing these differences is important, and discussing them becomes part of the security culture of an organization.

We plan to implement the Framework in other parts of McAfee, and we encourage other organizations to implement it too. Some words of advice based on our experience:

For implementation of the Framework:

Do it yourself. Don’t rely on others to come in and give you an assessment, because the Framework is meant to be a tool for discovery – not a standard for measurement.

Start where you are comfortable. It made sense for us to start with the Office and Enterprise business functions because our IT Security organization had already begun similar efforts.

Tailor the framework to your business. Adding, changing or deleting categories and subcategories helps the Framework align with an organization’s business environment. Don’t be afraid to customize the Framework.

Engage decision makers in every stage of the process – continually. Cyber risk management is a dynamic process that doesn’t have a neat end result. A continuous process of iteration and validation will result in an ongoing dialogue about risk, which is the aim.

For continued work on the Framework:

Include cyberthreat intelligence. As the Framework continues to develop in the U.S., we believe it should include key elements such as the cyberthreat intelligence lifecycle, which is essential to developing a robust understanding of cybersecurity attacks.

Extend beyond the U.S. We believe the Framework’s benefits are not confined to the U.S. In fact, governments in other parts of the world have begun reaching out to learn more about its potential. We encourage transnational dialogue and adoption of the Framework across the globe.

McAfee looks forward to continuing to use the Framework to analyze other areas of our business, as we believe it will provide value across our entire organization. Because we’ve taken the Framework out of the wrapper and made it a working tool, we feel confident in our belief that by focusing on risk management rather than compliance, the Framework has the potential to help transform cybersecurity on a global scale and accelerate cybersecurity across the compute continuum.

This blog post was written by Penny Baldwin. Passwords – both a blessing and a curse! When used correctly, they keep you safe and protected from those attempting to steal your personal information. However, with a different password for every site or app, remembering each one becomes a difficult task. I’ve become all too familiar …

When used correctly, they keep you safe and protected from those attempting to steal your personal information. However, with a different password for every site or app, remembering each one becomes a difficult task.

I’ve become all too familiar with the turmoil that a forgotten password can bring. Really, though, who hasn’t? Between personal and work email logins, all corporate and personal social media properties, internal portals, and blog sites (need I go on?), we have a lot of passwords to keep track of.

What if I told you there’s a better way to keep track of all of your passwords in one simple and safe service, alleviating the headache of remembering them at all?

Introducing True Key from Intel Security. An easier, safer way to unlock your digital world. You can download True Key on your phone, tablet or computer and get where you want to go faster – without the hassle of having to remember, or type multiple passwords. True Key unlocks your apps, websites and devices using things unique to you—like your facial features, the devices you own, or a fingerprint, for flexible multi-factor protection. From there, True Key takes your current passwords and makes them stronger, remembers them and instantly logs you in.

Sayonara, passwords!

Right now, True Key is available in limited release, and for those of you present at CES, we’ll be showing the product details live.

Make sure you stop by the Intel booth #7252 at CES to participate in some exciting demos of our new technology, and anyone who visits will receive a free 1-year premium subscription to True Key!

For more information on this product and the Intel Security events at CES, follow myself and @IntelSec_Home on Twitter, and Like us on Facebook.

]]>https://securingtomorrow.mcafee.com/executive-perspectives/true-key-simple-safe-password/feed/3What a Breach can Teach: It Starts with a Strategyhttps://securingtomorrow.mcafee.com/executive-perspectives/breach-can-teach-starts-strategy/
https://securingtomorrow.mcafee.com/executive-perspectives/breach-can-teach-starts-strategy/#respondTue, 06 Jan 2015 18:28:23 +0000http://blogs.mcafee.com/?p=40514

This is part II in a series on proactive defense using a proven professional services security methodology To me, the human body is a miracle and a mystery. But, I often think the same thing about the growing complexity of enterprise networks and the security solutions that are intertwined throughout them like our delicate circulatory …

This is part II in a series on proactive defense using a proven professional services security methodology

To me, the human body is a miracle and a mystery. But, I often think the same thing about the growing complexity of enterprise networks and the security solutions that are intertwined throughout them like our delicate circulatory system. I’m thinking about this as I run through the neighborhood with two pain-free knees that wouldn’t be so strong today had I not found a doctor who, in many ways, is like a professional network administrator trained to tie all the systems together for optimum performance.

You see, after years of knee pain, my boss recommended that I visit an orthopedic surgeon he knew. He said, “You’ll appreciate this guy. He has the same security services mentality as we do.” I wasn’t quite sure what he meant, but I assumed it had something to do with the doctor’s innate ability to holistically evaluate my ‘network’ (so to speak). I was really hopeful that this new doctor would finally be able to uncover the foundational issues causing my pain.

From the minute I walked into his office, I knew this doctor was different. The questions he asked intrigued me. His approach reminded me of the way professional services consultants assess a project – first working to understand the client’s pains and challenges, and then using a systematic methodology to move forward with the solution. In my case, the doctor first asked questions to get deep into the heart of the issue and then he analyzed the same MRI that had been reviewed by several doctors in the past. Instead, he dissected it frame by frame. The root of the problem was bone chips – compounded by severely atrophied quad muscles.

The doctor uncovered the core problem, devised a solution, and executed it on it. The answer was months of physical therapy in preparation for surgery. The doctor’s approach is what we mean when we talk about being relevant – having a greater understanding about what our customers need even if they’re not even quite sure what they need. This ties in nicely with my last post where I discussed relevance as it relates to digital security and protecting our customers’ data – how it’s not just about having all the ‘right’ security solutions in place, but about operationalizing them all in order to experience the full value of their investment.

Whether he knows it or not, my doctor provided me with Level Three service from the Emerging Supplier Model – a model that Gavin Struthers, Senior Vice President of Worldwide Channel Operations, describes in his last post. This level requires that service professionals get closer to customer operations, understand the organization’s end goals, and help to optimize their ROI. In the case of security services, I know firsthand that there’s no way to guarantee that an organization is secure, but using a proven methodology to integrate the best technology is key to gaining the full value of your security investment – monetarily and functionally.

The McAfee methodology is tried and true – consisting of six phases: strategize, plan, design, implement, operate, and optimize. While these phases are not necessarily linear, the strategize phase ultimately begins the engagement and drives the phases through optimization. At any phase, however, the environment may require that we revisit one of the former phases. Developing a strategy can often be triggered by a recent event – like a breach – that has threatened the security of an organization. When this happens, the organization will typically seek out the experience of incident response professionals, like those with McAfee Foundstone, who are trained to uncover vulnerabilities and begin remediation to secure the network and the corporate data.

After the initial triage, the questions begin to flow in from the CISO or the CTO. “We’ve invested in state-of-the-art security solutions. How did this happen? Where did the breakdown occur and why? How can we avoid this in the future?” Experienced security services professionals can usually explain why this particular breach occurred, but in order to avoid something similar in the future, the team must use a strategic approach – one that identifies need and implements the right balance of technology, people, and processes to manage digital risk and leverage security investments more effectively.

Although the strategy phase must address dozens of security-related details, in general our team of professionals will identify corporate requirements and set strategic business objectives for security management and risk mitigation. This includes activities like:

Identifying strategic objectives and priorities

Assessing high-level structure of the existing security environment

Developing a strategy for deployment for the entire network

The good news about a security breach is this: It’s usually the event needed to bring security to the top of the organization’s priority list. Only when it’s top of mind can the focus shift from reactive to proactive – starting with a plan and moving through full optimization. In my next post, I will share how the planning phase from our proven methodology is born out of the strategy phase and feeds into the design phase – all critical to securing your organization’s assets and reputation.

There has been an age-old debate about the gap between ‘the business’ and ‘IT’. And nowhere is this more acute than when it comes to information security. The CEO and the rest of the C-suite in the boardroom know that security is important and that the threats in this digital age are increasing. But they …

There has been an age-old debate about the gap between ‘the business’ and ‘IT’. And nowhere is this more acute than when it comes to information security.

The CEO and the rest of the C-suite in the boardroom know that security is important and that the threats in this digital age are increasing. But they often lack the depth of technical knowledge to fully understand the risks to their business and, therefore, what security investments they need to make.

Yet ultimate responsibility for any security breach falls to the top table – some of the big breaches in the past year have led to several C-level executives paying the ultimate price. That’s got to be a wake-up call for any board members who think they can bury their heads in the sand or who believe that IT security is something they don’t need to concern themselves with in any detail.

So, how can the CIO or CISO communicate security risk to the board to justify investment in the necessary technology to protect the business?

It’s good to talk

The first step, of course, is to make it a responsibility for everyone around the boardroom table. A study by McKinsey and the World Economic Forum examined cybersecurity risk management practices with more than 60 of the world’s 500 largest companies. It found that senior management time and attention was the single biggest driver of maturity in managing cybersecurity risks.

Regulation and compliance

Traditionally one of the main reasons for CEOs and CFOs to sign off on security investment is for regulatory compliance. That’s both vertical industry regulations and national or regional legislation, such as the new – still to be finalised – EU General Data Protection Regulation and the EU Cybersecurity Directive. This is likely to be a strong driver in countries with very strict data protection laws, such as Germany and Sweden. There is a danger in just ticking boxes, however, and analyst Gartner warns that being compliant doesn’t necessarily mean your business is secure and says security should be “protection driven”.

Scare tactics

CIOs and CISOs have often resorted to fear to try and justify IT security investment. For sure while there is a responsibility to make the board aware of risks, simply touting ‘world might end’ scenarios isn’t the best approach. Gartner studied 300 board presentations on risk and security and comes to the conclusion that using FUD (fear, uncertainty and doubt) to get board support just doesn’t work.“Executives don’t want to hear how bad everything will be if they don’t invest,” says the analyst.

Risk

Rather than presenting worse case scenarios and then holding out the security collection tin to the board, the C-suite wants an honest assessment so it can make judgments on what is an acceptable level of risk – locking everything down is both too expensive and impractical. Does the company know what it’s most sensitive data is? Deloitte advises identifying the top information security risks to the business and assigning risk factors to each of them. The board can then make an informed call about where to place its security investment bets.

Business value and ROI

The best language to use to justify security investment to the board, of course, is that of business value and return on investment. Every other department has to use ROI metrics and security shouldn’t be any different. Yet security investment is notoriously difficult to justify in terms of ROI. But CIOs and CISOs can talk about the enabling effects of new security technologies. Think about the example of some banks deploying two-factor authentication, which boosts customer confidence in digital and online services and reduces losses from fraud. Or an oil company using security to connect its smart oil fields to the business infrastructure and avoiding downtime or interruption to oil production.

Don’t baffle the board with dashboards of technical operational security metrics and terrifying breach disaster scenarios. Encourage executives to take a proactive approach to information security by talking the language of the C-suite – risk versus reward and business value. Put the emphasis on security as a business enabler.

This blog post was written by Penny Baldwin. The content marketing trend is in full swing. Now, the question is not whether to create your own branded content—it’s how to serve up the most digestible assets to a targeted audience, and actually see ROI. As marketers, we produce a lot of content. From technical white …

The content marketing trend is in full swing. Now, the question is not whether to create your own branded content—it’s how to serve up the most digestible assets to a targeted audience, and actually see ROI.

As marketers, we produce a lot of content. From technical white papers and solution briefs to blogs and infographics, we’re constantly changing up the mix. A strong content strategy is the foundation of brand messaging. The building blocks of that strategy should be diverse, thoughtful and engaging.

Whether you’re building out a new content strategy or beefing up an existing one, it’s important to establish some basic pillars for success. Here are three:

Pillar One: Be the Educator

Utilize content marketing to become an informative hub, rather than a marketing microphone. Find a new angle that hasn’t been covered and take an educational stance. There is so much content out there to sift through, and yet quite often it’s not digestible enough for the average reader. First, remove your brand or product from the picture and provide educational information to the audience about the issue at hand—what it is, how it works, and what’s in it for them—then insert some product or branded messaging.

Pillar Two: Open Both Lanes

Online readers are tired of being funneled into a one-way street. Including the thoughts and experiences of your user base gives a more authentic feel to what should be a give and take, as opposed to a single lane output. Crowdsourcing content or engaging with comments and shares is the new wave of content marketing, and helps to open up the discussion to a broader audience. Look at outlets like Buzzfeed, whose success can be attributed to engagement and crowd-sourced posts.

Pillar Three: Syndicate!

Yes, you want to have a single platform for your content. However, if you’re not using syndication to your advantage, your message may not be available to those searching for it. For example, employee blogs can be reposted to LinkedIn, infographics can be sliced and diced for Slideshare, and all of it can be promoted via social media.

The most successful content marketing strategies are those that implement tactics to educate, interact, and syndicate. There are larger strategies that can be implemented here as well, but we’ll save that for another blog post.

Internet of Things (IoT) needs “white networks” to scale and deliver the assurance we require for machine-things; white as in “clean and pure”. The IoT will contain all the devices on the current internet, plus many new devices used for machine-to-machine and industrial applications and services. In contrast to a “white network” I would assess …

Internet of Things (IoT) needs “white networks” to scale and deliver the assurance we require for machine-things; white as in “clean and pure”. The IoT will contain all the devices on the current internet, plus many new devices used for machine-to-machine and industrial applications and services. In contrast to a “white network” I would assess the regular Internet as “black” – filthy, full of attacks and threats and no place for a wave small, simple, cheap device which were never engineered for the open ocean of the internet; most home and small business networks are probably dark grey – unhygienic at best and usually poorly protected; enterprise networks are “ash grey” – not clean but a respectable balance of risk and cost, and perhaps the best military-grade networks as merely off-white: because there really is no such thing as pure networks. This illustrates the conditions of today’s heterogenous-network environments: even with good resources it is difficult to remain “clean”, and with little or no resources it is pretty much wishful thinking.

IoT services will be a vast range and combination of new Business-to-Business, and Business-to-Consumer applications: like home energy management, healthcare services, smart transportation, augmented reality in entertainment, and on and on. (In an up-coming book called “RIOT Control” we list several dozen examples of IoT use-cases, and security implications.)

It is a hallmark of many IoT/industrial/machine networks and devices that they are fragile: they do not respond well to “internet-like” conditions such as regular or occasional network probes and scans by adjacent devices, or seemingly random increases or decreased in traffic volumes, latency and packet loss. Many IoT services will see merely degraded network services as a service failure – a very different situation from what mosy users and applications expect from the current internet. Many industrial services will fail or become unpredictable in performance if subjected to even mild forms of reconnaissance or attack over the network. Similarly, a large population of devices coming onto the IoT will mean that some of them will be defective or possess manufacturing defects (hardware or software) which result in them generating excess or malformed network traffic, sometimes to the point of making the network unusable. Another affect of large numbers of devices coming on the network will be that some will not be properly secured physically, and will become platforms for unauthorized access to the IoT. They will become back doors and side doors into the IoT. In other cases, administrative errors in network management will see logically differentiated and segregated networks accidentally combined, or linked – with traffic from one “polluting” the other, with uncertain impacts on these fragile networks. Administrative errors such as this are already unfortunately common in both carriers and enterprises alike – the complexity of the IoT and the growth of the many interconnected networks supporting the IoT can only increase this operational challenge.

Another aspect of industrial/machine networks in the IoT is that they will increasing support critically sensitive, cyber-physical, logical-kinetic interfaces: the IT world controls the real world. In these instances, the potential for an IT security issue to manifest as physical harm and damage becomes very real. Already we are seeing instances of the potential criticality of the logical-kinetic interface and the hard that can result from insecure and fragile networks and devices.(See these story about failed in-home, IP-based security systems, or IP based utilities) .

White networks will be benefical as a simplified form of security for the simplified forms of networking required by industrial and machine applications. White networks will be a matter of allowing only very prescribed machine traffic, and then deny=* (all). In other words, a white network is like application whitelisting (where only allowed software may start and stop on desktops, devices and servers), but for networking: only explicitly allowed ports, protocols, sources, destinations, frequencies, volumes and possibly even application payloads and time-of-day, are allowed. (This list could even be extended to empirical criteria like environmental conditions, for instance, rain versus sun). Everything else is denied and sets off alarms.

White networks are highly antiseptic, and a value-added service which might be offered by carriers or IOT service providers. They will need to be configured for the IoT services in question – so they will not be a commodity. And they will need to be established and managed carefully. But, once established they should run and provide substantial assurance in an automated manner.

I am extremely excited and very proud to make this announcement. Following a competitive process, with over 250 worldwide nominations spanning all major industries, Oracle’s evaluation committee has selected McAfee as the winner of the 2014 Oracle Excellence Award for Fusion Middleware Innovation in the WebCenter category at Oracle OpenWorld in San Francisco. Congratulations to …

I am extremely excited and very proud to make this announcement. Following a competitive process, with over 250 worldwide nominations spanning all major industries, Oracle’s evaluation committee has selected McAfee as the winner of the 2014 Oracle Excellence Award for Fusion Middleware Innovation in the WebCenter category at Oracle OpenWorld in San Francisco.

Congratulations to the IT Solutions Delivery team who built the self-service Customer Service Portal to achieve this incredible milestone for the company, and thank you to the management team who has helped fast-track this team to success.

“This award highlights McAfee’s commitment to making it easy for our customers and support teams to find the right security resources and tools to keep their IT infrastructures secure,” said Deepa Gopinath, senior director, IT Solution Delivery, who accepted the award. “We’re honored to receive this prestigious award from Oracle.”

I am very proud of the IT Solution Delivery team. They are an exceptional representation of the IT organization. Their work and award shows how far this team reaches to ensure that they have built a successful product and provide an exceptional experience for our customers. They truly deserve this award.

McAfee and the IT Solution Delivery team was recognized for the innovative development of Customer Service Portal using Oracles’ WebCenter Portal and Content Framework. McAfee’s self-service Customer Service Portal, which went live in February 2014, integrates McAfee’s knowledge base, Threat Center information, Siebel CRM data and provides seamless access to McAfee supportability tools through a single experience. The portal is used to enable the company’s global gold and platinum customers to research solutions, manage problem tickets, download patches, submit malware samples, manage user profiles and more. As a result, the portal now provides the company’s gold and platinum customers, as well as our internal McAfee support agents with a world-class and seamless user experience. Many thanks to everybody who helped us build this exceptional product and for your enthusiasm along that long road!

This blog post was written by Penny Baldwin. Connected technology is changing everything from physical devices to web security. The idea that Americans have of a connected lifestyle is gradually becoming reality, and as a result, we’re seeing a spike in consumer concern toward security woes. The Internet of Things is something that fascinates me …

Connected technology is changing everything from physical devices to web security. The idea that Americans have of a connected lifestyle is gradually becoming reality, and as a result, we’re seeing a spike in consumer concern toward security woes. The Internet of Things is something that fascinates me – not only will it change the types of devices in our lives, but it will also change consumption of information, thus leaving a wide window open for marketers, PR pros and advertisers alike. This begs the question: what will technology look like in 25 years, and how can we prepare?

Last week, McAfee released a study that I’m pretty excited about. Safeguarding the Future of Digital America in 2025 highlights the predictions of 1,500 U.S. consumers about what the tech industry will look like in 11 years. The insights that we were able to glean from this effort provide some interesting takeaways about how accepting consumers are toward connected technology, and just how aware users have become of the security problems that come with smart devices.

All of the information in the report provides fascinating insights into the mind of the American consumer, but there were some the highlights that stood out to me:

Just wear it! By 2025, consumers will expect more from their everyday devices. In fact, 77% of consumers predict that in 11 years the most common device will be a smart watch, with 70% believe wearable devices will be mainstream and commonly used.

Robots will come to work. Sixty percent of the respondents believe that artificial intelligence and robotics will assist with their job tasks. If this prediction comes to fruition, it’ll likely mean an increase in security resources in the workplace.

Your app knows best! By 2025, many consumers believe that applications will be sending vital information to doctors, with 70% stating that this information will be sent directly into the hands of the physician.

What do you think the tech industry will look like in 2025? Will we all be wearing smart watches and receiving grocery reminders from our refrigerators? Tweet me @PennyRBaldwin and use the hashtag #FutureTech if you have a thought to share!

]]>https://securingtomorrow.mcafee.com/executive-perspectives/future-technology-2025/feed/0Six Lessons I Learned About Being a Great Leaderhttps://securingtomorrow.mcafee.com/executive-perspectives/six-lessons-learned-great-leader/
https://securingtomorrow.mcafee.com/executive-perspectives/six-lessons-learned-great-leader/#respondMon, 11 Aug 2014 16:22:37 +0000http://blogs.mcafee.com/?p=37240

A leader serves at the front of the organization and makes a concerted effort to identify the needs of a team. More importantly, leaders foster collaboration to drive a mission forward, efficiently and effectively. They employ keen listening skills, and demonstrate that they understand the best interests of the team members as well as the …

A leader serves at the front of the organization and makes a concerted effort to identify the needs of a team. More importantly, leaders foster collaboration to drive a mission forward, efficiently and effectively. They employ keen listening skills, and demonstrate that they understand the best interests of the team members as well as the best interests of the overall organization. At the core, this is my definition of what a leader is and represents. These are a few lessons that I have learned from both ups and downs throughout my leadership journey.

Have a Set of Guiding Principles. I find it helpful to identify clear guiding principles relative to the core culture and values that we want for the organization. You don’t need more than 5-10 core principles, but articulating them helps to give the organization a clear sense of the culture that we’re collectively trying to build.

Develop a Long-Term Vision. There is always so much happening on a day-to-day basis. I find that without establishing a longer term vision for an organization, along with key strategies for how to achieve them, it is always easy to get caught up in the day to day, and never get to the more strategic efforts that require greater time and effort to achieve.

Be Comfortable with Taking Risks. As a leader, you are always facing risks. One of the biggest organizational risks I’ve taken was to implement sweeping leadership changes within IT. At the time we had six VPs, with an overly complex management model that didn’t work for IT or our business leaders. Even though we had a great staff, we had a lack of leadership. As a result, I led a major organizational transformation that resulted with us transitioning from six to three VPs, with only one being the same. At the time, people felt I was moving too quickly, but I felt this was the only way to unleash the talent that our team possessed. Moreover, I recognized that this could have impacted not only the company’s success, but also employee morale and growth. All it took was for me to have the guts to make the necessary changes.

Embrace Challenges. Something that I commonly witness among leaders is the attempt to talk themselves out of having to address uncomfortable organizational challenges such as realigning a team or shifting responsibilities. They question whether to move forward with an action, if the action will have a negative impact, or if they should continue with the status quo. My response to these questions is that you can never have one hundred percent certainty, but if you’re questioning the same situation, day after day, week after week, then in your heart of hearts, you know you need to do something about it. Second-guessing yourself only enables procrastination – ultimately affecting the organization more than you.

Know When and How to Find Balance. I believe that you’ll spend time on whatever is placed on your schedule. It is important to get some programmatic governance onto your calendar. You should think about the bigger picture, resources and programs and make sure that tasks are executed. Be mindful not to get caught up only in the day-to-day issues that happen. You need to make sure to allocate enough time on the longer term and more strategic initiatives.

Keep Your Fingers on the Pulse. There’s always so much going on. If you ever consider, even for a day, that you’ve accomplished everything and you think you can stop all innovation, that’s a very dangerous thought. Technology is always changing. Customers are always changing. We need to continually evolve. The more we can embrace uncertainty with market changes, the less disruptive change feels.

The more engaged I’ve become on social media, it actually makes it easier to see what other companies and leaders are doing, as well as to pinpoint nuggets on how we can apply it to our company. It feels like the pace is moving much faster, but we have more tools at our disposal to help get a handle on what’s going on. The more willing you are to listen to the conversation, the more inclined you may be to embrace change.

What lessons or tips have inspired you to enhance your skills as a leader? Whether it is through your own personal experience or word-of-mouth, share your leadership thoughts with me on Twitter @PattyHatter.

This week we’re heading to Colorado for the Aspen Institute’s annual Aspen Security Forum. I’ll be speaking on a Friday panel entitled “WMD: The Nightmare Scenario,” discussing the application of cyber-attacks against critical infrastructure such as water systems, power plants, the electric grid, and industrial systems such as chemical plants. Cyberspace is now widely acknowledged …

This week we’re heading to Colorado for the Aspen Institute’s annual Aspen Security Forum. I’ll be speaking on a Friday panel entitled “WMD: The Nightmare Scenario,” discussing the application of cyber-attacks against critical infrastructure such as water systems, power plants, the electric grid, and industrial systems such as chemical plants.

Cyberspace is now widely acknowledged as the fifth domain of warfare joining land, sea, air, and outer space. But while cyber warfare is now acknowledged as a serious national security threat, we still don’t think of cyber-attacks in the context of weapons of mass destruction (WMD).

The WMD is a defined term by US Law (18 USC §2332a) and on the FBI web page, it states that the “WMD is often referred to by the collection of modalities that make up the set of weapons: chemical, biological, radiological, nuclear, and explosive (CBRNE). These are weapons that have a relatively large-scale impact on people, property, and/or infrastructure.”

Although a cyber-attack is digital, not physical, it is a threat that could physically harm thousands or tens of thousands of people. It’s likely that we will confront more cyber-attacks than chemical or dirty bomb attacks given the ease of which rogue states and non-state malicious parties can engage and given the difficulty of deterrence.

Results-Centric versus Device-Centric Threats

Physical harm is physical harm, regardless of the attack vector. We must therefore think of WMD in results-centric terms, not device-centric terms.

We saw Stuxnet destroy Iranian centrifuges through an attack on and manipulation of control systems. Such an attack on a water system could lead to the poisoning of a region’s water system very much along the lines of the recent Elk River incident in West Virginia. Physical, life-threatening harm, at scale, should be taken seriously regardless of the attack vector.

Ease of Engagement

Cyber-attacks of any nature are more likely than their chemical, biological, or nuclear peers because the ease of engaging in this kind of conflict makes such clashes more likely.

Earlier this week, I talked about the Cybercrime-as-a-Service Economy that enables “Pay-to-Prey”, the dynamic where the cyber skills available for hire online are allowing any number of criminal groups to get into cybercrime. The fact is the availability of these skills and capabilities for hire is also a dynamic in play in the area of cyber conflict. Smaller players can now wage cyber war with credit cards, a few smart people, some servers and aninternet connection.

And while we have protocols in place to monitor the transfer of nuclear materials and govern the development and use of chemical weapons, there are no such protocols in the case of cyber weapons.

Unreliable Deterrence

Traditional strategies of deterrence don’t apply in cyber. The stock piling of weapons and the threat of retaliation lack their deterrent quality present in other fields of conflict.

In the physical realm, major powers deter attackers by building insurmountable arsenals of bombs, tanks, and battleships. In the digital realm, a cyber-threat used by one is a cyber-threat shared by all. The moment it is used and discovered, it belongs to the digital commons. When nations lack the deterrent advantage stockpiles normally afford, deterrence becomes tricky if not impossible.

Add to this the challenges of attribution. When the power grid goes down, or water systems don’t work as the result of a cyber-attack, it’s hard to prove who did it. This makes it more difficult for nations to retaliate, and without the threat of retaliation, aggressors are less effectively deterred.

Let’s Have the Conversation

If you think of WMD in results-centric terms, the relative ease by which players can engage in cyber-attacks, and the challenges of deterrence in a digital context, you can’t avoid the conclusion that cyber weapons must be very much in the WMD conversation.

The good news is the national security community understands the WMD potential of cyber, and the conversation today is more about agreeing on solutions, partnerships, and contingencies than it is about inevitability and despair.

Public-private partnerships provide the opportunity for targeted organizations to strengthen defenses by learning from each other, including threat intelligence sharing and incentives for stronger defenses.

In my next post, I’ll outline how we can address this digital WMD threat if governments and private sector players take action together in a variety of areas.

This blog post was written by Penny Baldwin. Today’s job market is a foreign landscape when compared with what it was when I graduated college from San Francisco State University. At that time, applying for entry-level job positions was about a strong resume and cover letter as opposed to what came up when someone searched …

Today’s job market is a foreign landscape when compared with what it was when I graduated college from San Francisco State University. At that time, applying for entry-level job positions was about a strong resume and cover letter as opposed to what came up when someone searched your name on the Internet. As thousands of students make their ways across the college graduation stage this month and next, many of them are plagued with the question about how to secure that coveted first ‘real world’ job.

Each industry is different – an engineer will have an entirely different job-hunting process than, say, a teacher. However, for those students looking to break into the ever-evolving marketing industry in one form or another, I have outlined some helpful tips to keep in mind while applying for that dream job straight out of college.

Tie your resume back to the job description. All marketing campaigns are tied back into overall corporate communications or brand marketing goals. If you’re just throwing numbers on your resume and selecting your words based on their level of stickiness, your resume will end up in the talent manager’s trash. As a future marketer, you must show that you’re already able to think like a professional by tying experience back into the qualifications and requirements from the job posting to which you’re applying. Even if you do not have direct marketing experience straight out of college, that’s OK. Instead, tie the experiences that you do have back into marketing characteristics required in the description. For example, if you waited tables in college, frame the details so that they highlight the way that you upsold certain items or changed communication tactics based on the customer (i.e., communicating with foreign tourists is different than communicating with local regulars). For more specific resume-writing tips, I found this article to be useful.

Use social media to your advantage. Think about using social channels for your professional benefit, instead of as a tool to climb the social ladder. Social media can be a powerful weapon during a job hunt and can often be the deciding factor as to whether or not a candidate transforms into an employee. Use Twitter as an extension of the classroom and post content that educates and informs about the industry you aspire to be a part of, or participate in marketing Twitter Chats to show your interest in the space. Manage your Instagram account as a way to showcase your interests alongside creative talent and eye for design aesthetic. Follow brands, companies or agencies that you wish to be a part of on all channels as well, especially Facebook and LinkedIn. Market yourself and your skills using social media – after all, it’s free publicity for your personal brand.

Make yourself marketable. So you have a topnotch resume, squeaky-clean social media channels with engaging content, and you’ve even identified whom to properly address your cover letter to – are you a shoe-in? Not necessarily. We’re seeing a lot of young marketers and recent graduates take their personal brand one step further to clinch that top spot even before the first interview by creating an online CV, personal website or visual portfolio to put top talents and interests on display. Some great free tools for this type of thing are about.me and wix, or even Tumblr, WordPress or Blogger. Select a platform that will best showcase your work and link to it on your resume and in all of your social media profiles. Be sure to keep this site updated and really take the time to be thoughtful about the look and feel so that it portrays your personality as well as your talent.

Want to ask a question about how you (or your graduate) can be more marketable in the job search? Tweet me @PennyRBaldwin and let’s start a conversation.

The third meeting of the International Standards Organization’s (ISO) Special Working Group (SWG) on (Internet of Things) recently took place in Chongqing, China. The purpose of the SWG is essentially to assess what has been done to date related to IoT standards and provide guidance to ISO about the ISO so that the existing standards …

The third meeting of the International Standards Organization’s (ISO) Special Working Group (SWG) on (Internet of Things) recently took place in Chongqing, China. The purpose of the SWG is essentially to assess what has been done to date related to IoT standards and provide guidance to ISO about the ISO so that the existing standards might be evolved to meet the needs of the IoT – as appropriate.

In the area of security, this may mean that the world’s most widely adopted security standard, ISO 27000 family of management and operational standards, gets an update to accommodate new security requirements associated with the IoT.

Auditing and standards will be critical to the IoT because they enable technical interoperability, and from a risk management perspective the enable business interoperability.

Without standards the effort to get independently developed IoT systems working together will be a much more difficult processes involving and infinite number of point-to-point relationships which simple to do not scale.

Without standards, the IoT will evolve slower, will be more expensive and will ultimately possess lower quality and higher risk. The higher risk part will start with the business risks we discuss in this chapter, but extend to the operational risks we discuss in the next chapter and to an unlimited range of technical risks that we do not attempt to address.

The reason the IoT will be unmanageably risky without standards is due to the additional complexity that will come without standards. Already the IoT will be the most complex and intricate thing every created by mankind, with billions and billions of (literally) moving parts connected by ubiquitous and heterogeneous (many different types of) networks. From a risk management and security perspective, no standards mean each IoT system will need to have individual and unique security investments and assessment.

If each IoT system has individual and unique security, then each interface or connection between each system will have to be established through slow bi-lateral processes. Such a system would be uncontrollably expensive and violate one of the most common business requirements of the IoT – that it possess financial justification: that the IoT creates value not destroy it.

The alternative to security standards in the IoT is an expensive, bilateral system of security and risk management. Or managers, owners and users simply accept unknown risk – the worst type of risk management decision of them all, and in many cases a option counter to regulation and law.

As I’ve noted in my earlier post, directed cyber attacks and advanced malware can jeopardize sensitive information including valuable customer data, often resulting in immediate financial loss as well as ongoing damage to brand loyalty, vendor relationships, and investor commitment. As we’ve all seen with the latest retail issues the hits just keep coming and …

As I’ve noted in my earlier post, directed cyber attacks and advanced malware can jeopardize sensitive information including valuable customer data, often resulting in immediate financial loss as well as ongoing damage to brand loyalty, vendor relationships, and investor commitment. As we’ve all seen with the latest retail issues the hits just keep coming and a serious intrusion can harm sales, customer confidence and even stock performance.

Although some of these attacks have been carried out using advanced intrusions that beat the defenses of even the best security systems, the vast majority are still perpetrated using known methods against outdated or inadequate security processes and systems.

For the benefit of those who believe that “it can’t happen to me,” I thought I would pass along a few lessons shared to us by people who used to operate the same way.

Never stand down. Holidays are extremely attractive to information thieves, with large volumes of credit card transactions and IT teams that are often distracted with the task of keeping distribution channels operating smoothly. This is precisely the time companies should be paying even more attention to network security.

News never comes quick enough. If the IT security protection is lacking, company executives will find out about a security breach not from the IT team, but from the news services or authorities such as the FBI or the Secret Service. This is entirely too late and forces the organization into an escalated crisis mode.

Crisis mode is really, really hard. Every waking moment is spent considering the next security decision, the next customer communication, the next interview or financial statement or investor call. And this could last for a very long time. So buckle in and be prepared for the ride.

Legal and investor relations steps must be focused and transparent. A good crisis management plan should include a goal to minimize the impact while maintaining transparency to customers, investors, financial institutions, government entities, and the press. At the same time, everyone with a communications role should be clear that customer and partner relationships cannot be compromised for the sake of transparency. The focus should be on what the company is doing, not who was hurt the most or how.

Lawsuits are possible. In 2009,a construction company claimed that a bank in Maine lacked the proper security controls to avoid an online theft of more than $500,000 from its bank account. The case, Patco Construction Company vs. People’s United Bank dba Ocean Bank, was initially thrown out in a summary judgment but an appeals court reversed the decision in late 2012 on the grounds that the bank had not met the standard of implementing “commercially reasonably” security precautions. This decision and others like it have led the SEC to evolve its standards for financial security in the online world. Your legal and management teams need to be educated, informed and prepared to respond.

Fees could be very high. Specialists employed to conduct forensic analysis on a breach are expensive; so are other remediation steps, such as stripping out hardware and software systems. Expenses for special reporting activities for accounting purposes must also be factored in, often over several quarters.

By now it’s probably becoming clear that implementing a fully integrated security environment can in fact save significant costs as compared to a major security breach. Tighter IT policies and updated systems can also help. And because nearly every executive has management oversight of sensitive data, they all should consider themselves ”security obligated” executives. When everyone is thinking of security, the customer and the company are better served.

Last week, I discussed security-aware attacks that are capable of identifying and evading security solutions deployed on a system. One of the hallmarks of the new class of security-aware attacks is that they are specifically designed to bypass or avoid traditional security tools such as gateways and firewalls. In some cases, the design is so …

Last week, I discussed security-aware attacks that are capable of identifying and evading security solutions deployed on a system. One of the hallmarks of the new class of security-aware attacks is that they are specifically designed to bypass or avoid traditional security tools such as gateways and firewalls. In some cases, the design is so clever that that the security system never has a chance to stop the intrusion.

Security-aware attacks are frightening because they provide the intruder with precious time to deliver the exploit and get it operational. As we have seen recently in the retail space, once an undetected exploit is active, it can cause significant damage to the enterprise and its customers, both immediately and over the long term.

Cybercriminals use a variety of novel approaches to creating these security-aware attacks.

One that we felt was particularly compelling takes advantage of the sophisticated capabilities HTML5 offers to deliver an exploit to a target environment in pieces so the security network defense infrastructure never even sees it. The HTML 5 feature isn’t a vulnerability per se, but simply a feature that is exploitable by the cybercriminals.

Our R&D team recreated this attack to analyze its operation.

The attack starts with simple old-fashioned social engineering, by sending our target a standard email with a catchy invitation to open a link, which he did.

The link was opened in Chrome, which has a premium implementation of HTML5 to render content and execute dynamic web capabilities. In this scenario, there is no underlying vulnerability, but rather the power to use javascript to fetch multiple components of the exploit in pieces and re-build the executable in the browser. By building the executable in the browser, the executable is never seen by any network infrastructure.

To pull the pieces of the exploit in a manner that would not raise alarm if the pieces were analyzed by network infrastructure, the content was encoded into standard images and toolbars that the webpage would display. What was not apparent by looking at the images was that additional binary data was hidden in the image and could be extracted by an algorithmic process called steganography. Steganography works by using extremely small changes in the images data that are not perceivable by human observation, but can be extracted algorithmically.

HTML5 is comprised of HTML, CSS and Javascript. The javascript capabilities can access elements on the page and even create new elements. By accessing the images on the page and extracting a binary data using a steganography algorithm, the local code in the browser can recreate a malicious executable. The javascript can also create and modify HTML elements which allows it to post the new executable for “download” to the client. When the user downloads the file, it is being downloaded from the browser, not the internet.

The firewall never saw the exploit, nor did any other infrastructure such as sandbox appliances as the exploit itself never existed anywhere until it assembled itself inside the user’s computer.

How do you stop a malware like that? The answer is you need a security architecture that has endpoint and infrastructure collaborating to provide a comprehensive solution.

Everyone with an account on a smart phone, tablet, laptop or PC also knows about phishing, scamming, password and identity theft, and to some degree, file intrusion and hardware destruction through advanced malware. Probably less well known is the fact that savvy hackers will focus on individuals in specific businesses and high-end residential zip and …

Everyone with an account on a smart phone, tablet, laptop or PC also knows about phishing, scamming, password and identity theft, and to some degree, file intrusion and hardware destruction through advanced malware. Probably less well known is the fact that savvy hackers will focus on individuals in specific businesses and high-end residential zip and area codes for maximum effect.

Attackers are smarter, more focused and better prepared.

The best way to protect yourself from this hostile environment is to reduce your digital profile –to make it harder to be hacked or hurt. Here are some ways that you can keep your families and your businesses safe online, across all aspects of your digital profile..

Connectivity

All “free” email offerings are not alike. Many have privacy policies that aren’t in the best interest of the user. You can start by choosing an email system with highly reliable spam filtering capabilities to reduce your exposure to nasty scams. Gmail does a reasonably good job of this. Supplement this with a mass-unsubscribe service such as unroll.me to automatically drop spammy email out.

Use a DNS filtering service instead of the basic DNS services provided by your ISP. OpenDNS typically offers superior web filtering services to reduce spam and phishing attacks. OpenDNS also has robust parental controls that help keep your children away from potentially dangerous sites.

Browser plugins such as Disconnect create a “Do Not Track” barrier for web pages that use cookies to follow you. This will limit the tracking of your browsing behavior and prevent data gathering by internet marketers.

Use passwords on your home Wi-Fi router to ensure others cannot tap into your network to download illicit files. Open Wi-Fi access points provide malicious users ample bandwidth to perform their nefarious acts while limiting their exposure from the ISP and law enforcement.

Try to avoid public Wi-Fi, especially those that advertise free connectivity. Instead, use a MiFi access point from your telecommunications provider or tether your computer to your phone. If you must use public Wi-Fi and you want your browsing to be secure from malicious users eavesdropping be sure to utilize a third-party VPN service. These services provide for an entirely encrypted transport from the device to the Internet removing the opportunity for someone sitting in the coffee shop with you to “snoop” your traffic.

Privacy

Routinely update your social media privacy settings to ensure your profile is appropriately protected. . Check back regularly since many social media platforms modify their interface, which often compromises previous privacy settings.

Trim your contact list regularly and ignore friend or chat requests from strangers on social media or Skype. These are often scams or phishing attempts which can be a vehicle to leverage your account to spend SPAM to those listed in your address book.

Pirated software, movies and music come with unforeseen dangers. Many copyright protected-assets that are on the Internet as “free downloads” are laden with malicious malware designed to steal passwords and potentially other data you store on that system.

Be aware of “Location Services” on your mobile devices and social media platforms. This capability adds a geolocation parameter to posts, pictures or even simple web browsing. This allows anyone viewing this information to have your location information signaling to the world if you are at home, work or elsewhere.

Authentication

Most operating systems have multiple accounts for users to access the system. For example, Windows operation systems have a Local Admin Account which allows a “Local Admin” to configure and modify all aspects of the system. Conversely, Windows also has a “Local User Account” which is removes many of advanced permissions. Most malware requires a “Local Admin” account in order to install and operate. Interacting with the system on a lower privileged account can keep you safe, so reserve the “Local Admin” account for just administration tasks (updates, software installation, printer installation). Passwords remain a critical aspect of authentication still to this day. Heed the warning not to use duplicate passwords and make sure to use complex passwords for sites that contain private information, such as financial or healthcare sites. To help you remember all of those uniquely crafted passwords you can leverage a password manager that plugs directly into your browsers. These managers keep your passwords safe and many have the option to auto-fill the password fields make logging into your websites even easier.

Alternate forms of authentication are starting to take hold across the Internet. Biometrics which take into account human attributes such as fingerprints, voice or even facial recognition provide a higher level of security during the authentication process. Though not widely used currently, Biometric authentication provides a very seamless way to interact securely without remembering all those passwords. Additionally many institutions are deploying multi-factor authentication capabilities. Two-factor authentication takes into account something you know (like a password) and something you have, such as a token or code that is sent to your email or via SMS. Where these features are available I would highly recommend utilizing one.

Be sure to utilize all the protections your IT systems provide. For example, many financial institutions provide limits on how much can be transferred or withdrawn electronically. These help customers limit the impact or damages due to fraud or illicit activity on their account. Many programs exist for your safety, so find the best one from your financial partner that will suit your needs. Perhaps even more important than some of these tips is good computer hygiene. For example, be sure to regularly install OS and application updates, keep an up-to-date copy of malware protection on your systems, and always maintain a good backup of critical files. For an extra layer of safety in your maintenance regime, you can encrypt your storage (with BitLocker, FileVault or TrueCrypt, among others). Also, consider purchasing identity theft insurance, and always wipe your devices clean before selling or disposing of them. Finally, shut down your computer at night. It may not stop the phishy emails, but it will keep your PC from becoming a bot attacking others while you sleep.

This blog post was written by Penny Baldwin. No question, social media has changed how we market and how we communicate. No longer considered “new media,” today social media is a critical cornerstone to most companies’ efforts to keep their customers, partners, investors, and employees informed about key initiatives and to foster two-way dialogues that …

No question, social media has changed how we market and how we communicate. No longer considered “new media,” today social media is a critical cornerstone to most companies’ efforts to keep their customers, partners, investors, and employees informed about key initiatives and to foster two-way dialogues that increase engagement, understanding, and loyalty.

Today I’m excited to enter into those conversations for McAfee and to leverage social media to share more about McAfee’s dedication to creating digital security solutions that protect individuals and businesses around the globe.

I joined McAfee at the end of last year and the reason was simple: the digital security category is growing at an explosive pace, and McAfee is well-positioned to capitalize on the trend. Our products, our people, our partners, our R&D, and our brand represent some of the strongest, smartest, and most valuable assets in the industry.

And with the innovation, market position, and resources of Intel, we are poised to deliver what no other security company can: comprehensive, integrated, connected, layered, hardware-enhanced security solutions for businesses and personal use that protect from the chip to the cloud.

This is an exciting time at McAfee and in our industry. I expect the pace of change over the next 12-18 months to far exceed any previous timeframe. We simply can’t afford not to keep innovating, whether in our products, our strategy, or our marketing. The immediacy, reach, and impact of social media is a critical tool for McAfee, and we’ve already launched several key initiatives with social at the center.

There is seemingly limitless potential and power in social media. That’s why today, I’m also launching my personal Twitter handle to stay better connected with our community online. I’ll be sharing news and information about McAfee, as well as my perspective on trends in the security space. Along the way, I’ll drop in some of my personal experience around best practices for integrated marketing, branding, and social media, plus some thoughts on women in tech and leadership.

But this isn’t just about what I have to say; it’s about sparking dialogue. So I hope you’ll join me in conversation because that’s the power and the opportunity of social media. Share your thoughts, join me on Twitter and let me know the kinds of topics you’d like me to blog about here. I’m looking forward to hearing what you have to say.

I hope you enjoyed a great summer vacation with your families and loved ones. Personally I had a wonderful and sunny holiday with my family in the south of Spain. Do you remember those days when the summers were quiet and peaceful? Where almost nothing notable was happening? I am afraid that those days are …

I hope you enjoyed a great summer vacation with your families and loved ones. Personally I had a wonderful and sunny holiday with my family in the south of Spain. Do you remember those days when the summers were quiet and peaceful? Where almost nothing notable was happening? I am afraid that those days are gone forever. I remember last summer, in 2012, when we had to take immediate action to support customers facing cyber-attacks within critical infrastructure in the Middle East. So far this year, there have been several attacks related to the crisis in Syria with the Syrian Electronic Army (SEA), and in Egypt. In addition to these cyber hacktivists, we are also seeing a steady increase in classical cyber threats involving attempted theft of finance and confidential data.

I just had a fantastic day in Dubai where McAfee launched its first Cyber Defense Center in the Middle East, a critical region in today’s World. First, important critical infrastructures such as oil and gas, finance and transport are based within the region. Second, it is highly innovative with local governments investing heavily in cutting edge projects around transportation and new technologies. The incredible evolution of architecture one can see in the region is truly a testament to the innovation and creativity of the people. When my driver picks me up at Dubai’s International Airport, I am always excited to see the new buildings, and to feel the incredible energy that surrounds the city.

The story of the Cyber Defense Center was born exactly 12 months ago. A wave of Advanced Persistent Threats (APTs) had successfully targeted the IT systems of regional organisations. Following these serious attacks, I participated in a meeting with 40 regional CIO’s in the region, and their request I heard loud and clear was: “We need more than top notch products and technologies, we need competent resources in region. There needs to be a highly experienced team of incident response and forensics experts that can help both respond and proactively work with us to prevent and stay 10 steps ahead of the bad guys”. There needed to be a more strategic approach to partnering with our customers in order to develop their strategic security plan that mapped to their business objectives, as well as being able to respond immediately to incidents. They were asking for our help – and I knew we had to do something

After a discussion with Michael DeCesare, our president, and his senior leadership team, we decided to create the Cyber Defense Center in the Middle East. It shows our commitment and support to the region. We partner with our customers by being their trusted advisor and helping them to protect their most valuable assets. It is all about mitigating risk and optimizing the security posture. As local governments have been investing heavily in new solutions to prevent and minimize the impact of attacks, McAfee’s Cyber Defense Center will be working closely with key stakeholders to better protect the region.

What a great launch this was! More than 70 customers were in attendance. We received enthusiastic feedback from the attendees with some fantastic comments across Twitter such as “#McAfee has taken definitive steps to be the 1 #Security company in the world”. I can’t think of any other single organization better suited.” After our customer event, we also held a media conference with about 20 journalists; we have already received some excellent coverage. I am extremely proud of our Professional Services organization. Our comprehensive range of services is closing the loop when it comes to our integrated Security Connected solution.

The launch of this Cyber Defense Center is a key milestone in strengthening ties between McAfee and the Middle East. Our commitment is strong and we are here to stay. I am thrilled to be here, and I am looking forward to spending quality time with our customers, partners and employees.

In conjunction with our investigation into Operation Troy, we will be releasing IOC data in the open and highly flexible OpenIOC Framework format. The McAfee Operation Troy IOC can be downloaded here. In addition to various open/free tools, OpenIOC data can be consumed by: McAfee …

May has been another very busy month packed with events and plenty of travel! I spent a few days with some of our best sales people at the McAfee President’s Club in Venice and Croatia, followed by a short stop at the McAfee Executive Summit in Frankfurt where I had the pleasure of catching up …

May has been another very busy month packed with events and plenty of travel! I spent a few days with some of our best sales people at the McAfee President’s Club in Venice and Croatia, followed by a short stop at the McAfee Executive Summit in Frankfurt where I had the pleasure of catching up with some of our German customers following my presentation to the attendees. There was no stopping there – the day after the Executive Summit I travelled straight back to Amsterdam for the McAfee Labs day at our Executive Briefing Centre. It was here that some of our EMEA journalists learned of the launch of McAfee LiveSafe – McAfee and Intel’s joint vision for consumer security. The launch of this new service got me thinking about one particular demographic of consumer that is particularly vulnerable to threat: children.

Today’s youth has been brought up with the advent of the internet. As a generation of ‘digital natives’ they often know more about the ins and outs of online than their parents do. While it’s important for children to embrace new technologies and the benefits they can bring, there are dangers in cyberspace that both children and parents need to be aware of. In many cases, parents feel intimidated about how technologically advanced their kids are and refrain from enforcing rules that are imperative for protection as kids surf and socialise online. But at what cost?

As a father of two, child internet safety is front of mind for me and I recently stumbled across some new research on the subject as I was travelling. Parenting website Netmums questioned 825 children aged between seven and 16 on their internet usage and 1,127 parents on their perceptions of kids’ online habits.

The study found that more than a quarter of children pretend to be older to access certain websites, with an additional half of respondents stating they have accidentally accessed inappropriate content online. What’s worse is that almost 30% of the parents questioned admitted to allowing their children to access the Internet without restrictions or supervision.

We commissioned our own research last year, conducted by OnePoll, which revealed similar findings. We questioned 2,000 UK parents of children aged 5 to 15 on their kids use of the internet and found:

82% of five year olds already own or use an internet enabled device

60% of parents frequently let their child surf the web without adult supervision

One in six parents have been shocked to discover their child viewing unsuitable content

Only 45% of parents have had a serious conversation with their child about the dangers of online; a third believe the media is responsible for educating children

50% of parents haven’t taken any sort of preventative measures to ensure their child can’t access inappropriate content

There’s a clear disconnect between what children are doing online and what parents believe they are getting up to. More work needs to be done to redress the balance, and McAfee is committed to the cause. In November 2012 we launched an Online Safety for Kids programme in the UK, following success for the scheme in the US. The aim of the programme is to raise awareness of the potential risks and share knowledge about how to stay safe online. Our staff volunteer to teach online safety courses at schools in the communities where they live and work, alongside an online portal that provides schools, parents and kids with handy tips and tricks on how to safely navigate cyber space.

In addition to the programme, we had our annual community day on the 16th May, which saw McAfee employees going into schools to talk to youngsters about the dangers of the online world. This is an initiative that is very much close to my heart and, unlike the rest of my work, is something that I bring home to share with my own kids.

In order for children to take advantage of the benefits of the internet, parents have a key role to play in educating children on the dangers that lurk online. Security software is available that can restrict what kids see and do on the web, taking a lot of pressure off parents to stay current with every new risk. McAfee Family Protection is an example and is built to empower parents to say ‘yes’ to their children’s online activity, knowing they will be safe as they learn and explore.

But it’s also important that parents get involved with their kids’ online lives, and make sure they know how to act and react to what they see on the web. This should include frequent one-to-one conversations on how to practice safe online behaviour, whether they are researching their latest school project or chatting to friends. In playing an active role, parents can have peace of mind that their children are safe, protected and informed about the risks.

We previously wrote about what it means to be a security-obligated executive – how to identify threat warning signs and prep against cyber-attacks. Historically either the C-suite and the security teams haven’t spoken at all, or security teams haven’t spoken to execs in a simple enough language to be understood. At McAfee, we often educate …

We previously wrote about what it means to be a security-obligated executive – how to identify threat warning signs and prep against cyber-attacks. Historically either the C-suite and the security teams haven’t spoken at all, or security teams haven’t spoken to execs in a simple enough language to be understood. At McAfee, we often educate our customers on the ways they can impact the security of an organization by simply opening the lines of communication.

There are major disconnects we often see when auditing the security of an organization. A typical security team will assess the ability to defend against generic threats or attacks and will develop a plan to fill in those holes. More often than not, the resulting roll-out plan is missing a key ingredient: an explicit understanding of the company’s assets that need to be protected.

To guarantee that the security strategy is aligned with the business objectives, we created an exercise to uncover business risks in a non-technical way so that the business risk and security plan dovetail together seamlessly. What we call the 3 R’s: Riches, Ruins and Regulations, helps executives and security professional speak in a common language. The exercise is designed to uncover critical and valuable assets that are core to the line of business. Oftentimes it is only the line-of-business employees that are aware of the presence and relevance of these assets and they are outside the purview of the security team. Because of this disconnect, the security controls deployed on these systems are often inappropriate in relation to the risk those assets pose to the organization.

How it works is simple, the first step is to identify the 3R’s, then based on the results, the security team employs the analyses to keep the company secure:

Riches

What assets can be targeted that would be valuable to a thief?

What are the ways assets can be stolen?

Who would be most likely to steal this asset?

How would a thief go about stealing this asset?

Ruins

What could you target specifically to ruin our reputation?

What direct costs or liabilities would our company incur if the asset is stolen?

What indirect costs, such as harm to reputation, would our company incur if the asset is stolen?

Regulations

What compliance rules does our company abide by?

Who is responsible for compliance?

Who audits our company’s compliance with these different regulations?

Do we have any contracts with penalties for non-compliance?

The primary purpose of the exercise is to uncover assets of significant value if stolen, potential attacks that might cause great damage, and finally the costs associated with failure to meet regulatory requirements. Identifying the 3 R’s will help the security-obligated executives have a clear vision of security as it relates to their company, which is the first step against cyber-threats and attacks.

This will be old news to those of you who took the time to visit McAfee Focus 2012 , but for the rest – my team took the opportunity to introduce the concept of the McAfee “Little Red Box” in the Innovation roadshow. It’s a prototype project that my team has been working on for some …

This will be old news to those of you who took the time to visit McAfee Focus 2012 , but for the rest – my team took the opportunity to introduce the concept of the McAfee “Little Red Box” in the Innovation roadshow.

It’s a prototype project that my team has been working on for some time now, and will go some way to answer the need to protect all the connected devices in your home.

My house is the classic connected home – I have the usual assortment of PCs and laptops that built up over the years, some relegated to the role of photo frame, others scattered around for occasional browsing and email use. There’s also the odd real photo frame (wirelessly connected to a media server of course), and on that topic, numerous Playstations, XBoxs, and other gaming consoles that my family enjoy.

If that wasn’t enough IP connected equipment, you can add into the mix more than one of every Apple device made – iPads, iPhones, Apple TV’s, even an Apple Mini, oh and a few Samsung internet connected TVs as well.

I often jest that I have an internet-toaster, but I don’t. My wife thought about buying an internet-fridge, but the fact it didn’t support wireless put her off.

I must be forgetting something, as my router DNS server regularly gets maxed out – oh yes, I have Sonos throughout the house as well, and also a few Apple Airport Express wireless repeaters.

You don’t come to my place if you’re sensitive to EMF…

Why am I bringing this up? Because of all these devices, most are what we call Closed OS – there’s no way McAfee (or any other security company) will ever be able to sell you security software to install on your Sonos media player – but that little white box is a high powered Linux device, it’s as able to be a ‘bot or spam gateway as any other Linux laptop. And of course, Apple don’t let anyone write security software for iOS, neither do Samsung allow us to put security software on their TVs, or Sony/Microsoft on their consoles..

All these high powered devices are in our homes, internet connected, talking to the “cloud”, and exchanging data – and we have very little control or visibility over what’s happening.

So – back to the Little Red Box. Imagine a simple device which you plug into your wireless router, which instantly provides protection for all devices in your home.

Simple as that – plug it in, power it up, and with zero configuration, it will make sure nothing in your house participates in spam or botnets, that nothing can access known bad web sites or servers, and that your whole family is protected from inappropriate web content.

I’ve thought how to expand on that description – but that’s about it – that’s what the Little Red Box does. Technically it’s commandeering your network, filtering all DNS and web requests, watching for activities which could be indications of malicious attack, and applying the mass knowledge within the McAfee GTI system to every connected device.

Even if your children have friends visiting, they are not going to be able to access anything inappropriate, or unpalatable…

I had 5 goals when designing this solution:

Protect all my devices in my home from malware and information loss

Protect my family from inappropriate content no matter how they access the internet

Ensure no device in my home participates in botnet, denial of service, or spam activity

Give me one place where I can monitor and manage the security and policy of all my devices

Make it stupidly easy to use

I hope those who visited our booth at Focus go to see how close we are.

You can’t buy one of these yet – it’s still something we are working on and proving out the concept for the future – It’s one possible solution to the “Connected Home” we believe people are moving towards -technically the Little Red Box exists, and it works. If it’s something you might be interested in we’d love to hear your opinions.

Next time I’ll give you another twist on this story – instead of buying a “Little Red Box” to protect your home – how about if the protection was built into your cable modem?

Late last week, reports began to surface that the Israeli police (along with other regional law enforcement) were targeted by a malware attack. The entry vector was described as a phishing campaign sent from Benny Gantz (head of the Israeli Defense Forces). Initially, details and indicators around the malware were beyond sparse. Aside from the FROM: address, …

Late last week, reports began to surface that the Israeli police (along with other regional law enforcement) were targeted by a malware attack. The entry vector was described as a phishing campaign sent from Benny Gantz (head of the Israeli Defense Forces). Initially, details and indicators around the malware were beyond sparse. Aside from the FROM: address, little was known that could assist in any sort of investigation. After nearly 24 hours from the first reports, both details and samples of the malware started to flow. As soon as we could confirm details of the phish email and the malicious attachments, we were able to cross-reference sample data already in our malware database and connect the dots.

Generic Dropper.p (XtremeRAT)

This is where, from the research side, things begin to get fun.

Automated malware analysis is nothing new to our industry. Most vendors (ourselves included) have tools to handle this internally, and assist our skilled human analysts with proper classification, documentation, and other recurring tasks that must occur with the daily barrage of new and unique malicious binaries. The bar for this threat, however, has been raised. With ValidEdge, we were able to generate enormous amounts of usable and actionable data from the execution of malware samples. We get feedback from basic static analysis, as well as from runtime data. We get all the usual system modification data, and full and complete network/communication data, and samples and memory dumps from second-level threats (dropped, created, downloaded entities). And it’s all done in a safe environment, with extremely robust reporting.

To fully illustrate, let’s focus on the Trojan that affected the Israeli police. In the McAfee universe, we detect this threat as Generic Dropper.p.

To start with, you simply submit your sample(s) to the ValidEdge appliance/host. The ways to do that vary depending on implementation. In my setup, it’s as simple as dropping the file, via FTP, on the appliance, then picking up the results set the same way (different directory on the FTP server). Easy and fast. I immediately had a set of results from my submission of the following sample:

The result sets are organized as a specific directory structure.

Analysis report sample

This is where we typically end with most tools. The exception here, from my experience, is that there is much more data generated by the appliance to start taking action on. The way in which the information is organized is also very friendly and workable. Some basic examples follow:

Sample Data

Sample Data 2

Sample Data 3

Sample Data 4

From here we can get enough static data to build a picture of the malware and its behavior. We also have network data and full memory dumps and screenshots at our disposal should we need to dig further.

Memory dumpsPCAPs

All the secondary/dropped files are presented as well. As such, these can be easily analyzed in context.

Dropped files

Dropped files, specific to this threat, are detected via McAfee Global Threat Intelligence along with the current DATs.

At this point you have plenty of information to understand what this threat is doing, how it communicates, and much more. Some would argue that deep malware analysis is an art form. But to embark on that sort of journey you need enough data to make constructive, creative, and accurate decisions. Tools like ValidEdge do exactly that.

See March 15 and 16 updates at the end of this blog. —————————————————- The March Security Bulletin release from Microsoft was relatively light in volume. Out of the six bulletins released, only one was rated as Critical. And for good reason. MS12-020 includes CVE-2012-0002. This flaw is specific to the Remote Desktop Protocol (RDP) present on …

The March Security Bulletin release from Microsoft was relatively light in volume. Out of the six bulletins released, only one was rated as Critical.

And for good reason. MS12-020 includes CVE-2012-0002. This flaw is specific to the Remote Desktop Protocol (RDP) present on most current versions of Microsoft Windows. The RDP service, by default, listens on TCP port 3389. And because it’s so darn convenient, lots of people like to open their firewalls/ingress points to the traffic.

This is a bad/dangerous/insecure thing. (Choose your own favorite term.) I hope this issue (and many others before it) will influence anyone’s decision-making process when it comes to network hardening, external access, etc.

This is certainly not the first flaw in RDP. It is quite significant in that it does not require authentication to exploit the flaw–just a firing of some specially crafted packets. From that point the world (or the world that the compromised host lives in) is the attacker’s oyster. This is especially bad because the RDP service runs in kernel mode, under the System account (in most cases).

Keep in mind that it is very easy and takes little time to find targets. You see this type of situation all too often:

It’s Open!

This situation very quick leads to an intruder’s trying to login via brute force, or trying something new (like the flaw described in MS12-020) !

It Actually Works!!!!!

So, what can you do to protect your environment?

McAfee, Microsoft, and others firmly recommend that you prioritize the deployment of the MS12-020 update.

Other steps:

RDP is typically disabled by default. If there is any doubt, investigate and confirm in your environment whether and where it running.

In Windows Vista or later, enable Network Level Authentication (NLM)

Even if you have NLM enabled, the flaw can be exploited if the attacker can gain authentication. This means you should verify strong (nondefault, sufficiently complex) user/password combinations.

McAfee DATs (partial coverage, for known PoC code, is provided as “Exploit-CVE2012-0002” in the 6652 DATs): 3/17

CVSS: (AV:N/AC:M/Au:N/C:C/I:C/A:C)(E:POC/RL:OF/RC:C)

——————- UPDATES ———————————

March 15: McAfee Labs has observed in-the-wild proof-of-concept code targeting this vulnerability. There are a few varied samples that we are both monitoring and analyzing. At this time the coverage/mitigation data already in this post is still valid.

We are continuing to monitor this situation and will provide updates as needed. An updated MTIS Security Advisory has been sent to subscribers.

Welcome to “15 minutes with” – an occasional contribution between myself and the movers-and-shakers within McAfee’s technical community. This week on the stand is my good friend and occasional co-presenter, David O’Berry CSSLP, CISSP-ISSAP, ISSMP, CRMP. Now a McAfee Strategic systems engineer, his previous life was 19 years in the public sector, culminating as Director …

Welcome to “15 minutes with” – an occasional contribution between myself and the movers-and-shakers within McAfee’s technical community.

This week on the stand is my good friend and occasional co-presenter, David O’Berry CSSLP, CISSP-ISSAP, ISSMP, CRMP. Now a McAfee Strategic systems engineer, his previous life was 19 years in the public sector, culminating as Director of Strategic Development and IT at the South Carolina Department of Probation, Parole, and Pardon services where he gained a wealth of experience (and a long list of certifications).

David’s no part of McAfee, and intends to help McAfee customers more effectively deploy and use our wide range of solutions. I thought it would be interesting to pick his brain about the transition, as it’s quite rare for senior decision makers to join the vendor community…

So David, welcome to 15minutes with – Let’s start by introducing you to the audience – you’ve been in the public sector for a long time – what were you doing?

I worked alongside my team to create Personal Productivity Savings (PPS) defined as adding every minute we could to the end-user in the pursuit of Business Operating Efficiency (BOE). To me that meant finding ways within and outside of the organization to help things work better, to insure business processes made sense, to blow up or go around roadblocks whether they be fiscal, political, personal, or imagined, to back my team to the hilt in their pursuit of goals that benefited not only my organization but the community as a whole.

For instance, in 2001/2002 we created an IT Strategic Plan that was titled Secure Access to a Ubiquitous Computing Environment or as we called it S.A.U.C.E. People look at that now and say…well sure…but at that time it was like we were heretics. Now radical consumerization and mobilization is an assumed thing but 8 or 9 years ago it was astounding how different things were.

At times, it was like herding cats and at other times it was like being strapped to a rocket that you had to build from what you could pull together based on funding models. Myself and my team learned to not only tolerate change but over time to embrace and to then truly relish change.

Outside of my agency, I was the Security Domain Chairman for South Carolina, the Collaboration Team Lead, served on the MS-ISAC Executive Board, helped found the Trusted Computing Group’s TNC Customer Advisory Council, served as the Chairperson for the Open Group’s Improving the Digital Ecosystem Workgroup, served as the president of the Midland’s ISSA Chapter, while also steadfastly advocating for rapidly evolving customer-driven standards in both the network as well as the security space.

There are a number of other things but suffice to say without my team none of it would have been possible. They were and are like family to me and I take that very seriously.

Most importantly, I was helping to raise my 10 year old son while coaching everything I could coach for as many years as I could coach it.

Why make the shift to the dark side of the commercial sector? How do you think your experience can help McAfee help our customers?

It was an incredibly difficult decision because I worried about my team, my organization, the organizations like MS-ISAC etc. that I had been so heavily involved in…the State of South Carolina where I have participated so vocally over the last two decades…but when it came down to it I thought that the opportunity to continue the work I had been doing..helping to solve the incredibly difficult problem of strengthening the digital ecosystem worldwide could form a slightly different attack angle…it was time…

You’ve been with us a few months now – I hope you still think it was the right decision, but any advice to someone in a similar position thinking of switching from a customer to a vendor role?

I absolutely believe it was still the right decision. My team at PPP is excelling led by my great friend Bill Miller. The State of SC, while I miss it, probably needed a break from me based on the current state of needed change in various areas. I still am involved, just not in the same capacity and I will always seek to assist South Carolina in becoming the amazing success I know it can be both within IT as well as in the delivery of services to citizens. New blood is never a bad thing and eventually new and old can mix to find a balance that maybe could not have been achieved if things stayed status quo.

As far as advice, don’t jump for money. Don’t jump for fame. Don’t jump for greener grass. Look deep inside you and figure out what you really want to do and where you think you can make the biggest impact. I am a big fan of long term wealth versus short-term greed.

I have always offered my assistance in any and everything without worrying about how it would positively impact me at some point. Don’t have an agenda when you are progressing in your career other than to make that difference, that impact…because in the end people can tell, your team can tell, and there is no substitute for being genuine and doing something you believe in with all your heart. At the same time, don’t let fear paralyze you about a move. Perfection is the enemy of progress and there will never be an absolutely perfect time to make a move like this one.

What was your first introduction to McAfee – any anecdote you’d like to share?

Oh wow…like maybe 1997 or 1998…I was cold called…hard sales job out of New Jersey…the number started at something like five times what I ended up at…perpetual license versus subscription..it was probably my first experience with just how much a vendor will do to earn business in certain times of the quarter/year end. Actually it probably was a keystone of my future negotiations with all of the tech companies I dealt with…so all you companies out there that I beat to death…you can thank McAfee for honing my skills early on!

I think the most interesting anecdote was that we owned all of the four “legs of the stool” or whatever they called it at that point. Gauntlet and PGP…McAfee Desktop…Magic HelpDesk…Sniffer (including the pizza boxes)…and the concept…it was there…it made so much sense…and it was so poorly executed on until David DeWalt and his group came in after the divestiture of most of those lines. I still get a kick out of thinking about the NAI/McAfee to Secure Computing to McAfee journey of like the firewall product etc. As a side not, PPP actually still uses Magic HelpDesk and it has served its purpose…it’s now BMC I think but it’s probably one of the last pieces that exist from that initial purchase…other than the endpoint.

Has McAfee ever burnt you? Did we recover gracefully/earn your respect for how we dealt with the problem?

I think any customer vendor interaction is going to have its challenges. I am fairly certain, with most reputable companies, that they never set out to burn customers but that at some point bad decisions get made that are then compounded by a lack of knowledge and communication, etc., across both the customer and vendor organization.

Very few companies can avoid that aspect because of just how decentralized and haphazard communication with customer’s has become as the spend has climbed. From the McAfee perspective, I would say my experiences have been much more positive over the last three or four years than they were the first, ninth or tenth time.

It took a while for DeWalt to get things moving in the right direction and even now there are hiccups that have to be worked through and breakdowns in communication between the end rep and the customer that take effort to manage. In the most recent years, I would say the integration of SafeBoot into McAfee ePolicy Orchestrator (ePO) and the challenges associated with it and some newer HP equipment probably stand out as one of the most intense challenges for PPP’s relationship with McAfee.

At the same time, we worked through it and McAfee provided the assistance we needed to get things squared up. Beyond that, it’s the normal things associated with all anti-malware vendors…the DAT file issue…etc. All in all, the good has far out-weighed the bad and McAfee’s people and the integrated (hopefully continuing to move to open) story have made a huge difference in why we have stuck with them versus finding a cheaper or possibly slightly better point solution on any given day.

Chasing the shinies as a CIO will get you flat killed…patience matters as long as your vision is solid and you have vendor partnerships that are true relationships that transcend a supplier/consumer model.

So David – 19 years implementing vendor products in local government – if you had to give three pieces of advice regarding vendor/customer relationships, what would they be?

Hmm…great question….

I think first of all I would say that both sides have to realize that it really is a relationship. What happens sometimes is that it turns into a demand/supply equation instead of a true relationship. Both sides have to be willing to work on things that are at times not comfortable and that may not go completely the way they want it to…in a relationship that benefits both parties that is doable. In a supply/demand equation you lose a lot of that flexibility.

Something that goes along with that is do the research on whats out there and at the same time know what business problem you are trying to solve and be able to communicate both what you know and what you need clearly. If you are more interested in what they are selling or where you guys are going for lunch and how much smoke someone is going to blow to pump you up then you lose control of what is going to be best for the organization you are working for in the end.

In the past, the hardest part was that new and shiny is sexy, so often people are down the rabbit hole with boxes piling up of new toys based on what the sales rep said than based on what they need. That can lead to a great deal of angst and miscommunication down the road, which ultimately leads to alienation of both your organization and the vendor. Getting along with the vendor is not only a good thing, but truly necessary to create that win/win relationship everyone is after. But do not let it color what you do for your organization.

That was probably more than two but as as a third, I would say…don’t give up on requiring vendors to be more open. this gives you the freedom to make the decisions that benefit your organization when you need to make them, instead of when the next sales cycle rolls around.

I have always told vendors, don’t make me depend on you executing on your business plan in order for me to execute on mine. I have seen so few companies in this industry actually execute successfully for five or even three years in a row at times. That means they have to make business decisions that may be counter to your best interest. That is fine because that is their business but your business requires you to be flexible and agile which means not depending on a single vendor or a homogeneous ecosystem.

When I first got on the soap box about this many years ago it was Microsoft and Cisco that were the prime targets of my discussions…now it’s any company that expects to prosper going forward. Many thought I was a heretic for saying this a while back, but now I think many of those same people realize this is not hate for any single company. It’s a love for innovation that I firmly believe is significantly encouraged by adherence and support of open standards both on the supply and demand side of the equation.

We often get told that local government users are not capable of handling things like passwords, or understanding the concept of security – do you think this is true? Does user education help?

At this point in my career and for the past 10+ years I actually believe in the user to be perfectly blunt. I think we have failed the user for so many years, as a profession. It is easier for us to lump them all together into some giant ignorant unwashed mass than it is for our profession to actually do an evaluation of how we failed them and how we can eventually fix the problem.

When I say we failed them I take my share of that responsibility. Early in my career, I too went down the path of the user proof concept because I was not confident that users could even care enough to learn. The technology curve kept accelerating and the education curve fell farther and farther behind. This inverse relationship is really hurting us now from a holistic security approach because whether it was too hard, or too tedious, or what…we have pushed user education way way down the charts for 20+ years.

I think the late 80’s and 90’s greatly contributed to this crippled state of existence. It was then that we began obfuscating everything behind GUIs in order to make the “user experience” more palatable as we hit critical mass with consumption of PCs. We never really asked should we…we just did because as a profession we did not really have the ability and even the knowledge to stand up and make a cogent argument for why security even mattered at that point…why the users being able to learn how to be secure mattered…instead we made it as easy as possible and now we are paying for it.

The entire foundation is flawed yet instead of knocking it down and starting over we are forced to try to go top down floor by floor to get to a root of trust that I am not even sure exists now…it if ever existed. The model has to change from absolutes to a more developed set of overlapping nets with holes of different sizes and from an avoidance mind-set to a resilience and mitigation mind-set.

The only way we can get there is through the users though…all the nastiest technology in the world will not solve this if we don’t start working together both as IT and users and enterprise to enterprise.

So David, I know standards bodies are really close to your heart and you’re an active participant in many groups – are there any standards you think could really make a difference, which you think the industry is avoiding taking on or participating in?

Oh boy…you are going to get me in trouble in my first month on the job! Hmm…I am a firm believer in open standards in general and right now a large part of my time has been spent on SCAP, Trusted Computing Group’s Trusted Network Connect, IF-MAP including how that can fit within cloud interoperability concepts etc.

I also believe that a strong standardized fully featured secure network control language has to evolve. Beyond that, in the cloud we have to look to audit and compliance standards…visibility standards…transportability…eventually interoperability…like roaming agreements from cell phone vendors…a spot market with very fast CIA-C profile matches that allow enterprises to really gain the agility required to conduct business at rapidly increasing speeds with little to no margin for error in the marketplace.

Even now I grow more frustrated by the day when I hear companies try and explain why their non-standard black box fabric is better than TRILL and therefore TRILL does not need to be supported. There are companies that have been stalwarts of standards and that have now seemingly turned hypocritical to those professed tenets, based on getting a leg up, that really harm the industry.

I think that companies that have the marketshare are always trying to protect that marketshare as a general rule, and the ecosystem as a whole does not matter to them because the next quarter has to matter. That is unfortunate and one of the areas where I do believe that if we do not get our act together as a industry we will be mandated to do so by some intense regulations.

Longer term, enterprises and governments will not care one bit why something occurred that either breached them or crippled their ability to do their jobs. They will instead care that we, as an industry, were either able to protect them or not. To me, I believe we are skating on a very thin sheet of ice right now as a profession and industry because many companies keep turning a blind-eye to what really does matter to the people they are supposed to serve…their customers.

I’ve always told companies, don’t make me have to execute on my business plan while solely depending on you to execute on yours. That’s a recipe for disaster because I have not seen a single tech vendor execute, from a customer’s perspective, for a five year period…or even a three year period…there is too much internal stuff that has to go on for that to happen and vendors different product managers seldom act as one entity even within their own company.

Bluntly, it has never seemed like a very customer friendly environment anyway. Most of the efforts going towards assuaging concerns versus actually finding out the real issues and attacking them is at the root of the problem. What we need is a true customer driven gap analysis of standards and where and what we need going forward.

That is going to have to be in an organization that does not exist today, unless there is one out there that can take it up. In my opinion, most of the standards bodies are poisoned at this point. It’s one of the reasons I registered demandstandards.com/org/net a while back in order to start working on that type of solution…in my spare time!

Finally, I have to ask about the excessive number of letters after your name – can you tell us a little about them, and perhaps your thoughts on whether security professionals should go through independent review of their skills?

Yeah, I have stopped putting a bunch of them on there at this point. It is kind of a running joke…talking about tri-fold business cards etc. I have seen some people that dwarf mine though, but you always wonder about the substance. I believe that independent review is a must. One of the ways I do that is writing questions for ISC2 for the CSSLP, CISSP, ISSAP, and ISSMP exams.

Believe me, near instant peer review of questions you write is a humbling and very educational exercise. I also never shy from a conversation as long as people are open-minded. Right now, the important of the digital ecosystem is second to none to the continued stable advance of society.

With that in mind, we allow anyone to call themselves a cyber-security expert. That is counter-intuitive. You don’t let people operate on your brain without intense rigorous review because the number of fatalities would be high. Would they be as high as if a digital event took out a hospital though? The electric grid? Yet, we continue to have incredibly subjective measures of ability in our profession.

Maybe that is all we can do right now but I will tell you I have seen enough paper tigers in my day to realize that certifications are certainly not the only measure of ability and in reality may sometimes be a counter-indicator. There has to be some hybrid though, a balance there between what you can do and what can be measured and then the certifications you achieve. We are just not there yet and bluntly may never be there.

Wow – well thank’s for your time today David – before we go, I know you’re an active speaker on security issues – any events you’d like to promote?

Hmm…I just got back from speaking on a panel at the the NSA’s 2nd Annual Trusted Computing Conference and felt that to be incredibly worthwhile. Coming up, I will be speaking at NASCIO, McAfee’s Focus, followed by the NIST Conference up in Maryland at the end of October.

I believe all of those are worthwhile for the various segments for which they are targeted. If I can answer any questions for anyone while there, either during the panels and talks or afterwards, then please do not hesitate to fire away. I love to learn and solid discourse is the single best way I have found to do that in this world.

For the last couple of weeks I’ve been presenting around the U.S. at events such as Secure360 in St. Paul, and the McAfee Executive Summits in Boston and New York. One question I was asked at every event, was “What is a mobile device?” The flippant answer of course which after two weeks of middle …

For the last couple of weeks I’ve been presenting around the U.S. at events such as Secure360 in St. Paul, and the McAfee Executive Summits in Boston and New York.

One question I was asked at every event, was “What is a mobile device?”

The flippant answer of course which after two weeks of middle seats and hours of flight delays comes easily to my lips, is “A device which moves from place to place” – but is that strictly true any more?

Companies such as McAfee target different feature sets to “mobile” devices and non-mobile ones, our laptop (traditionally considered a non-mobile device) malware solutions are for obvious reasons, very different to our smartphone ones.

There’s a lot more attack surface on a laptop than an iPhone, no one really thought about network intrusion protection for GSM networks etc. But, the problem seems to be that the line between the two is blurring. I’ll give you an example – what about the iconic iPad typically considered a “mobile” device?

you can’t make a call on it (unless you have skype),

you can’t roam around the world and stay connected (unless you have the 3G version)

it does not have a keyboard (unless you have a bluetooth keyboard case)

you can install your own thick apps on it, and you can create presentations and documents on it

As you can see – the iPad has many of the attributes of a laptop it seems when you dig deeper, and also many of its smaller brethren, the iPhone.

What about the ChromeBook, which Google sought fit to send me a free one of recently?

it has a screen, mouse and keyboard like a normal laptop, but I can’t install any “real” apps on it

it has no local storage (that users can access yet), needs permanent connectivity to the cloud

it has an OS which can only be patched by the manufacturer

All in all, aside from its size, it’s more like a smartphone than an iPad, yet physically it IS a laptop.

What about an Android device?

the OS is on everything from tiny phones to iPad/notebook equivalents

it’s a full OS which can be changed by the user if they root it

thick apps are numerous as are settings

It may have a keyboard, a touch screen, or maybe neither?

An Android device is usually connected, and powerful – is it a mobile? How divorced is it say from a Ubuntu slate PC? So the lines are blurred – the way these devices are used, the expectations of the users themselves, and the range of threats attacking them is so diverse that it can be very confusing indeed to work out what the “strategy” is in any particular case.

The way I’ve been framing it to my teams is regarding to the “malleability of the OS” – for example on a traditional Windows / OSX / Linux laptop, the OS is very changeable by the user – you can go in, delete things, adjust things, basically mess the thing up to the point it does not work any more – with this malleability comes additional threat surfaces – malware can exploit any number of things to gain access to your system.

Taking a ChromeBook or iPad though, the OS is completely hidden from the user – there’s nowhere near the attack surface that OSX, Windows or Linux (or their associated apps) exposes, and thus the threats come from a different direction – browser exploits, plug-ins, phishing , and the occasional bad app distributed by the various stores.

The user (and malware) has a much lower ability to interact badly with the device OS, BUT the device is mostly unprotected if it happens, and the manufacturer may be the only one who can patch it if needed.

What happens if your company has an APT attack on your smartphones? How long do you think it would take you to notice, and how long for the device vendor to release a patch that perhaps only you need?

To me, framing the question in terms of malleability is a really effective way of segmenting out our understanding and vision for the plethora of devices that need protection – “mobile computing” platforms are split between the malleable and non-malleable OSs, so perhaps that’s where we should be focusing our attention rather than this confusing “mobile or not” categorization, when everything is pretty much mobile after all.

Of course I am concerned that malleability is such a sucky word, does anyone have a better suggestion?

Well, One week into the Intel/McAfee relationship and I am pleased to say it’s already bearing fruit. Over the last few days I’ve been reaching out to all my Intel peers, making the connections with people which were simply impossible while the deal was going through all the evaluations. I had an interesting discussion with …

Well, One week into the Intel/McAfee relationship and I am pleased to say it’s already bearing fruit. Over the last few days I’ve been reaching out to all my Intel peers, making the connections with people which were simply impossible while the deal was going through all the evaluations.

I had an interesting discussion with Knut Grimsrud in the Intel storage division today about “clever” things we can do to improve performance and security on the Intel SSD hard disks.

Typically, Encryption and SSD’s are not pleasant bedfellows. Sure, it works, but as most have found, an SSD which has been encrypted performs slower than one which has not. This is due to a few factors, but mostly because encryption at the sector level writes a capacity-worth of data to the SSD, giving it little “free space” to work with afterwards.

Data stored on SSDs is not arranged like sectors on a magnetic disk – in fact, you can imagine it more like tape storage. New writes are written to fresh pieces of tape, it’s not until you reach the end of the tape, that the disk starts overwriting earlier deleted or unused areas.

This is done because the NAND storage in an SSD, again like magnetic tape, has a finite number of write cycles it can go through before it starts degrading. By spreading the writes into new areas of “tape”, and overwriting as little as possible, the drive can extend its useful life far beyond the 10,000 or so write cycles any particular block is good for.

So, doing a full encryption on an SSD obviously has some consequences – all that beautiful fresh tape gets used up, and the drive starts going and filling in gaps and deleted areas – and, to add insult to the process, overwriting a bit of NAND storage takes significantly longer than writing a fresh or unused piece. The final nail in the performance coffin is the drive is challenged in determining areas occupied by real files, and areas that are just overwritten by the encryption routine – thus the internal “garbage collection” routines which go looking for reusable areas of storage are working overdrive to find somewhere to write to.

So, how to solve this performance problem? Well, lucky for us Intel already made a tool available to do exactly that, though it was intended for other purposes. Let me introduce you to the Intel SSD Toolbox, in particular, the Intel SSD Optimizer.

The Optimizer is designed to go through your smart little SSD, and work out what storage is in use by current files, and what is free – either never used, or was in use at one stage, but the file’s been deleted. The Optimizer then tells the SSD using a special command called “Trim” that certain blocks of space can be considered free.

So, your slow encrypted 160GB drive with 40GB of data on it and 120GB of mysterious encryption remnants goes back to having 120GB of nice fresh free space, and blistering performance to match.

You can run the optimizer once after encryption, but as Intel recommends, it’s good to run it regularly to keep your drive in top performance.

To close, people have asked why we don’t just ignore all the unused space on the SSD to start with. The challenge is, that writes on the SSD get scattered all over the place – there’s no way of tracking them down, and remember, when you overwrite a sector on an SSD, you are in fact writing a new sector somewhere else. Since we want to make sure that any data on the drive prior to encryption is also protected, we have to make sure we touch all the storage. We don’t want someone to be able to disassemble the SSD, dump the memory and find a copy of some very sensitive data on your encrypted drive.

You know I always thought that at some point, printed books would go the same way as vinyl. Despite sporadic revivals by the music industry and its use by particular groups such as the electronic and “mixmasters,” the majority of households have already replaced turntables for the latest technologies. Equally the latest published shopping trends …

You know I always thought that at some point, printed books would go the same way as vinyl. Despite sporadic revivals by the music industry and its use by particular groups such as the electronic and “mixmasters,” the majority of households have already replaced turntables for the latest technologies.

The gradual shift, and more importantly reliance on technology means that failure to observe one of the three key tenants of Information security, Availability, is having a dramatic impact on people’s lives. Take for example the recent virus outbreak at Portsmouth libraries. It was reported that the impact of this outbreak resulted in public internet access being suspended for two weeks. (http://www.bbc.co.uk/news/uk-england-hampshire-12199223)

Although this is unlikely to be a problem for technology professionals like yourself, for many people this is the only lifeline they have to the online world. A member of the Portsmouth Pensioners Association said that “A lot of our members do go to use the computers, because maybe they can’t afford to buy one or run one from home. It’s a shame for them because it’s a good way to stay in contact with people.”

Ensuring that systems are protected from unauthorized malware is a critical function for every organization, but when those systems provide a civic function to some of the most vulnerable groups in society, then it should be mandatory. Access to the online world is now absolutely necessary in order to compensate for the closure of a number of post offices throughout the UK, and so the role of the local libraries is becoming more important than ever before.

Unless we want to keep the internet to only those lucky enough to own a computer, and only allow them access to the array of services both public and private sector has to offer, more must be done to ensure that outages are prevented. After all, there are solutions available to protect systems from such outages.

A pet project of mine for a couple of months now, McAfee’s secure-short URL service http://mcaf.ee went through a viral launch last week and has taken flight! Leveraging McAfee Global Threat Intelligence, McAf.ee lets you create short url’s which are checked against our databases of known spammy, dangerous, malware hosting, bot control etc sites prior to …

A pet project of mine for a couple of months now, McAfee’s secure-short URL service http://mcaf.ee went through a viral launch last week and has taken flight!

Leveraging McAfee Global Threat Intelligence, McAf.ee lets you create short url’s which are checked against our databases of known spammy, dangerous, malware hosting, bot control etc sites prior to being show.

A while ago there was a glut of dangerous short links circulating around Twitter, Facebook etc – this is something McAfee can proactively do to help offer a little more safety in our online lives.

You can create a short URL for any site, but when someone clicks on it, if the site is flagged as dangerous we throw up a warning page to give users a chance to back out before visiting. We also show our categorization of the size, and of course, there are various levels of danger – the most dangerous (Red sites) we block the user from visiting without typing the “long” url, the suspicious (Yellow) we warn the user, but allow a click through, and the sites we believe are safe (Green) we display straight away.

This service was created by the McAfee Office of the CTO, which I am part of – the team is charged with looking into and creating innovative test projects, which, if successful can be rolled into the more traditional McAfee Business Units. It means we have a little more freedom to go out on a limb and try new ideas out.

You can find more information, and of course comment and add feature suggestions, or report issues on our forum http://mcaf.ee/about

Yesterday, McAfee completed the acquisition of privately owned tenCube, the provider of the WaveSecure mobile security service. I’m excited to say that McAfee will now have a single platform, from the consumer to the enterprise, to address the management and security of all devices types, to all markets and with the most robust feature set. …

Yesterday, McAfee completed the acquisition of privately owned tenCube, the provider of the WaveSecure mobile security service. I’m excited to say that McAfee will now have a single platform, from the consumer to the enterprise, to address the management and security of all devices types, to all markets and with the most robust feature set.

Mobile security has become a key part of McAfee’s strategy for growth. The mobile device market has grown exponentially over the last couple years. The iPhone, iPad and Android platform have really acted as agents of change—the level of innovation with these devices and the applications available is unprecedented. According to IDC, the ongoing demand for smartphones will drive the worldwide converged mobile device market to a new shipment record in 2010, with additional impetus from the shifting landscape of mobile operating systems.

McAfee is well poised to lead this market. We have more than 20 years of expertise in securing the endpoint, nearly a decade of experience securing mobile devices and a vast partner ecosystem. Now, with added technologies from tenCube and Trust Digital, we are well positioned to out innovate our competition and deliver the broadest mobile platform available.

The WaveSecure security service for consumers allows users to remotely control their devices, manage the data on their phones, ensure privacy in the event of device theft or loss and enhance the possibility of recovering the phone. McAfee also plans to offer a child locator service, using the unique technology from WaveSecure.

McAfee Trust Digital allows companies to extend the data center to smartphones in the same way that they do so for laptops, leveraging the native capabilities of the device and the enterprise IT infrastructure to deliver native applications. With the Enterprise Mobility Management solution, enterprises can have the same data protection, compliance, and security policy management that they have with their laptops.

Big news today for the security industry and the future of the Internet with the agreement for McAfee to be acquired by Intel. This is incredibly exciting to me as it reflects what we at McAfee have been saying for some time: security is a fundamental component of modern computing and it is increasingly relevant …

This is incredibly exciting to me as it reflects what we at McAfee have been saying for some time: security is a fundamental component of modern computing and it is increasingly relevant in a completely connected world. Intel’s agreement to acquire McAfee underscores that.

The number of connected devices is expected to grow from 1 billion to 50 billion by 2020, according to industry estimates. This explosive growth of Internet and IP-enabled devices is reshaping communication, collaboration and commerce opportunities for individuals and organizations around the world.

At the same time, cybercriminals and cyberterrorists are misusing the Internet’s open and any-to-any communication architecture for malicious purposes, leaving many users at risk and the future of the Internet as we know it in question.

The current cybersecurity model isn’t extensible across the proliferating spectrum of devices – providing protection to a heterogeneous world of connected devices requires a fundamentally new approach to security. The industry needed a paradigm shift, incremental improvements can’t bridge the opportunity gap.

There is no better partner that we could have found than Intel. They share our vision for security and they share our vision of a connected world. Working together we’ll be far stronger globally and able to make a much bigger difference in people’s lives.

We are joining forces to tackle this next generation cybersecurity issue, which impacts everyone and anything connecting to the Internet. Security will be a third pillar in Intel’s strategy, next to power efficient performance and Internet connectivity. By bringing McAfee’s security DNA to Intel, we can offer better solutions and products to the market. By next year, we will introduce new security offerings as a result of our collaboration.

When the acquisition closes, we will have the knowledge and scale necessary to capture the opportunity in security and deliver growth and value to Intel, McAfee, our customers and our combined shareholders. McAfee will remain a standalone subsidiary, retain its leadership team and expertise, which will facilitate future innovation in security.

You can find more detail about the acquisition in the news release that went out today as well as in George Kurtz’s blog.

We’ll be following up with you with regular communications during the approval process. Until then, thank you again for your interest in McAfee.

Dave

Additional Information and Where to Find It

McAfee, Inc. (“McAfee”) plans to file with the Securities and Exchange Commission (the “SEC”) and furnish to its stockholders a proxy statement in connection with the proposed merger with Jefferson Acquisition Corporation, pursuant to which McAfee would be acquired by Intel Corporation (the “Merger”). The proxy statement will contain important information about the proposed Merger and related matters. INVESTORS AND STOCKHOLDERS ARE URGED TO READ THE PROXY STATEMENT CAREFULLY WHEN IT BECOMES AVAILABLE. Investors and stockholders will be able to obtain free copies of the proxy statement and other documents filed with the SEC by McAfee through the web site maintained by the SEC at www.sec.gov, and from McAfee by contacting Investor Relations by mail at McAfee, Inc., 3965 Freedom Circle, Santa Clara, California 95054, Attention: Investor Relations, by telephone at (408) 346-5223, or by going to McAfee’s Investor Relations web site at investor.mcafee.com (click on “SEC Filings”).

McAfee and its directors and executive officers may be deemed to be participants in the solicitation of proxies from the stockholders of McAfee in connection with the proposed Merger. Information regarding the interests of these directors and executive officers in the transaction described herein will be included in the proxy statement described above. Additional information regarding these directors and executive officers is also included in McAfee’s proxy statement for its 2010 Annual Meeting of Stockholders, which was filed with the SEC on May 10, 2010. This document is available free of charge at the SEC’s web site at www.sec.gov, and from McAfee by contacting Investor Relations by mail at McAfee, Inc., 3965 Freedom Circle, Santa Clara, California 95054, Attention: Investor Relations, by telephone at (408) 346-5223, or by going to McAfee’s Investor Relations web site at investor.mcafee.com (click on “SEC Filings”).

Note on Forward-Looking Statements

The subject document contains certain forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934, including but not limited to, statements regarding the expected benefits and costs of the transaction, the plans, strategies and objectives of management for future operations, and the expected closing of the proposed Merger. These forward-looking statements involve certain risks and uncertainties that could cause actual results to differ materially from those indicated in such forward-looking statements, including, but not limited to, the ability of the parties to consummate the proposed Merger, satisfaction of closing conditions precedent to the consummation of the proposed Merger, including obtaining antitrust approvals in the U.S., Europe and other jurisdictions, the ability of Intel to successfully integrate McAfee’s operations and employees, the ability to realize anticipated benefits of the proposed Merger, and such other risks as identified in McAfee’s Annual Report on Form 10-K for the fiscal year ended December 31, 2009, and McAfee’s most recent Quarterly Report on Form 10-Q, each as filed with the SEC, which contain and identify important factors that could cause the actual results to differ materially from those contained in the forward-looking statements. McAfee assumes no obligation to update any forward-looking statement contained in the subject document.